Linux Kernel mt76 Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's mt76 wireless driver. This issue arises when the driver improperly manages memory related to wireless client identifiers, leading to potential memory corruption. The vulnerability was detected by the Kernel Address Sanitizer (KASAN), which reported a read operation from a freed memory address. The problem occurs in the mt76_txq_schedule function, where the transmission queue's client identifier pointer is not adequately protected, allowing for unsafe memory access.

Impact

Exploitation of this vulnerability can lead to memory corruption, which may be leveraged to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by using the mt76 wireless driver in the Linux kernel. When the driver processes authentication or disassociation events, it can inadvertently access freed memory, triggering the use-after-free condition. This can be observed by monitoring the kernel logs for KASAN use-after-free warnings, which indicate that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Consult the Linux kernel changelog or your distribution's update notes for specific version details.