Linux Kernel cfg80211 Wireless Subsystem Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's wireless cfg80211 subsystem. This issue arises because key information in the wext.connect structure is not properly reset during (re)connections, allowing it to retain data from previous connections. As a result, drivers or the mac80211 layer may incorrectly interpret a WEP connection request and access memory that has already been freed or reused. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, where freed or reused memory is accessed incorrectly. This type of memory mishandling can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, connect to a Wi-Fi network using the wext interface. Then, attempt to reconnect to the same or a different network without resetting the connection keys. The driver may incorrectly process the connection request, leading to access of freed or reused memory.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.