CVE-2024-56541
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's ath12k WiFi driver allows attackers to potentially crash the system or execute arbitrary code when the driver module is being unloaded. This affects Linux systems using vulnerable versions of the ath12k driver for Qualcomm WiFi chipsets. The vulnerability occurs during module removal when freed memory is accessed.
💻 Affected Systems
- Linux kernel ath12k WiFi driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash or potential arbitrary code execution with kernel privileges, resulting in complete system compromise.
Likely Case
System crash or kernel panic when unloading the ath12k module, causing service disruption.
If Mitigated
No impact if the system is not using the vulnerable ath12k driver or has been patched.
🎯 Exploit Status
Requires local access and CAP_SYS_MODULE capability to unload kernel modules. The vulnerability triggers during module removal sequence.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 35be5018a2a4d1b07bdfcf957c81121d22d16355, bdb281103373fd80eb5c91cede1e115ba270b4e9, or e5e15c8b42923bfb6c84d3d906a9965d9a0f111d
Vendor Advisory: https://git.kernel.org/stable/c/35be5018a2a4d1b07bdfcf957c81121d22d16355
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify ath12k driver is not accessing freed memory during module removal.
🔧 Temporary Workarounds
Prevent ath12k module unloading
linuxRestrict ability to unload the ath12k kernel module
echo 'install ath12k /bin/false' >> /etc/modprobe.d/ath12k-blacklist.conf
rmmod ath12k 2>/dev/null || true
Disable ath12k driver
linuxPrevent loading of vulnerable ath12k driver
echo 'blacklist ath12k' >> /etc/modprobe.d/blacklist-ath12k.conf
update-initramfs -u
reboot
🧯 If You Can't Patch
- Restrict module loading/unloading privileges using Linux capabilities (remove CAP_SYS_MODULE from non-admin users)
- Monitor for attempts to unload kernel modules and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if ath12k module is loaded: lsmod | grep ath12k. Check kernel version: uname -r and verify if it contains vulnerable ath12k code.Check Version:
uname -rVerify Fix Applied:
After patching, attempt to unload ath12k module: rmmod ath12k (if loaded). Monitor system logs for crash reports. Check dmesg for KASAN errors related to ath12k_dp_cc_cleanup.📡 Detection & Monitoring
Log Indicators:
- KASAN use-after-free reports in dmesg/kernel logs
- Kernel panic messages during module removal
- Call traces mentioning ath12k_dp_cc_cleanup
Network Indicators:
- Sudden loss of WiFi connectivity on affected interfaces
SIEM Query:
source="kernel" AND ("ath12k_dp_cc_cleanup" OR "KASAN: use-after-free" OR "ath12k" AND "panic")