CVE-2024-26895
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's wilc1000 WiFi driver that occurs during network interface cleanup. When removing WiFi interfaces (e.g., during driver unbind or module removal), the driver accesses freed memory, potentially leading to kernel crashes or code execution. Systems using the wilc1000 WiFi driver are affected.
💻 Affected Systems
- Linux kernel with wilc1000 WiFi driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or potential arbitrary code execution with kernel privileges leading to complete system compromise.
Likely Case
System instability, kernel crashes, or denial of service when WiFi interfaces are removed or during driver cleanup operations.
If Mitigated
Minor system instability during WiFi driver operations if proper access controls prevent malicious triggering.
🎯 Exploit Status
Requires local access and ability to trigger driver cleanup operations. The vulnerability is a use-after-free which could potentially be leveraged for privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in Linux kernel commits: 24228dcf1d30c2231caa332be7d3090ac59fbfe9, 3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447, 5956f4203b6cdd0755bbdd21b45f3933c7026208, 73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb, a9545af2a533739ffb64d6c9a6fec6f13e2b505f
Vendor Advisory: https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Check kernel version to confirm update.
🔧 Temporary Workarounds
Disable wilc1000 driver
linuxPrevent loading of the vulnerable wilc1000 WiFi driver
echo 'blacklist wilc1000' >> /etc/modprobe.d/blacklist.conf
rmmod wilc1000
Restrict driver operations
linuxLimit access to driver unbind operations to prevent triggering
chmod 600 /sys/bus/spi/drivers/wilc1000_spi/unbind
🧯 If You Can't Patch
- Restrict local user access to prevent driver unbind operations
- Monitor system logs for KASAN warnings related to wilc_netdev_cleanup
🔍 How to Verify
Check if Vulnerable:
Check if system uses wilc1000 driver: lsmod | grep wilc1000. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits. Test driver unbind: echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind (monitor for KASAN warnings).📡 Detection & Monitoring
Log Indicators:
- KASAN warnings mentioning wilc_netdev_cleanup
- Kernel panic or crash logs during WiFi driver operations
- System logs showing driver unbind operations
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="kernel" AND ("wilc_netdev_cleanup" OR "KASAN" AND "use-after-free")🔗 References
- https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9
- https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
- https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208
- https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
- https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f
- https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c
- https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
- https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9
- https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447
- https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208
- https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb
- https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f
- https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c
- https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
