Linux Kernel rtw89 Wireless Driver NULL Pointer Dereference Vulnerability on Unsupported 6 GHz Band

A NULL pointer dereference vulnerability has been identified in the Linux kernel's rtw89 wireless driver. This issue occurs when the software incorrectly reports the reception of a packet on the 6 GHz band, despite the hardware not supporting it. The vulnerability arises because the software does not initialize the necessary components for unsupported bands, leading to a NULL dereference. The problem is triggered in the function sequence rtw89_vif_rx_stats_iter() followed by rtw89_core_cancel_6ghz_probe_tx(). The vulnerability has been observed in Linux kernel versions through 6.6.56.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting normal system operation.

Reproduction

The vulnerability can be reproduced by receiving a packet on the 6 GHz band with a chipset that does not support it. This can be simulated by using a device with an unsupported Wi-Fi 6E adapter or by manipulating the driver's reception reports to indicate 6 GHz activity when it is not supported. The rtw89 wireless driver must be active, and the device should be configured to receive on the 6 GHz band.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. The patch is available in the Linux kernel stable tree.