CVE-2024-56663
📋 TL;DR
This is an off-by-one vulnerability in the Linux kernel's nl80211 WiFi subsystem that allows out-of-bounds memory access when handling Multi-Link Operation (MLO) link IDs. Attackers with local access can trigger a kernel crash (DoS) or potentially execute arbitrary code. Systems running vulnerable Linux kernel versions with WiFi capabilities are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory corruption leading to arbitrary code execution with kernel privileges, potentially resulting in full system compromise.
Likely Case
Kernel panic or system crash causing denial of service, requiring system reboot.
If Mitigated
Limited impact if WiFi is disabled or MLO features are not used.
🎯 Exploit Status
Requires CAP_NET_ADMIN or root privileges to send nl80211 commands. The crash stack shows it was found by fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in kernel commits: 29e640ae641b9f5ffc666049426d2b16c98d9963, 2e3dbf938656986cce73ac4083500d0bcfbffe24, f3412522f78826fef1dfae40ef378a863df2591c, f850d1d9f1106f528dfc5807565f2d1fa9a397d3
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For Debian: apt update && apt upgrade linux-image-*. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable WiFi MLO
linuxDisable Multi-Link Operation features if not required
iw dev wlan0 set mlo disabled
Restrict nl80211 access
linuxLimit CAP_NET_ADMIN capabilities to prevent unprivileged users from sending nl80211 commands
setcap -r /usr/sbin/iw
🧯 If You Can't Patch
- Disable WiFi interfaces completely if not needed
- Implement strict access controls to prevent unprivileged users from accessing WiFi configuration
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if MLO is enabled: uname -r && iw phy | grep -i mloCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is updated beyond vulnerable commits and test WiFi MLO functionality📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN reports of wild-memory-access in nl80211 or ieee80211 modules
- System crashes/reboots
Network Indicators:
- Abnormal nl80211 netlink traffic patterns
- Multiple control port transmission attempts
SIEM Query:
source="kernel" AND ("KASAN" OR "wild-memory-access" OR "nl80211" OR "ieee80211_tx_control_port")🔗 References
- https://git.kernel.org/stable/c/29e640ae641b9f5ffc666049426d2b16c98d9963
- https://git.kernel.org/stable/c/2e3dbf938656986cce73ac4083500d0bcfbffe24
- https://git.kernel.org/stable/c/f3412522f78826fef1dfae40ef378a863df2591c
- https://git.kernel.org/stable/c/f850d1d9f1106f528dfc5807565f2d1fa9a397d3
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
