CVE-2024-43911 - Linux Kernel NULL Pointer Dereference in mac80211 (Wi-Fi) Band Check

A critical bug in the Linux kernel’s Wi-Fi stack (mac80211) could cause kernel crashes when Wi-Fi Multi-Link Operation (MLO) is enabled, leading to a local denial-of-service (DoS). This bug (CVE-2024-43911) was triggered by dereferencing a NULL pointer when checking wireless band info during BA session startup—especially with Wi-Fi 6/7 hardware supporting MLO and certain drivers (e.g., rtw89).

Below, we’ll break down the problem, look at the crash, walk through affected code, and see how it can be reproduced and why the fix matters.

mac80211: Core Linux Wi-Fi stack, connecting drivers and interfaces.

- MLO (Multi-Link Operation): New Wi-Fi feature in 802.11be (Wi-Fi 7) & advanced Wi-Fi 6/6E gear, supporting multiple wireless links for faster, more reliable connections.

With MLO, internal data structures (link_data, link_conf, etc.) are more dynamic, and legacy assumptions often break.

The Problem

During the start of a TX Block Ack (BA) session, the kernel checked the band-supported flags (for HT/VHT/HE/EHT). Old code assumed a pointer (chan) to a channel object was always there. With MLO, it may be NULL. Dereferencing chan in these cases crashes the kernel.

With Wi-Fi 7 gear (rtw89 driver during MLO development), the crash would look like this

BUG: kernel NULL pointer dereference, address: 000000000000000
#PF: supervisor read access in kernel mode
RIP: ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618)
...
Code: ... <83> 38 03 f 84 ...
     * 83 38 03         cmpl   $x3,(%rax) <-- trapping instruction
...
RAX: 000000000000000

Translation: the kernel tried to read from memory at address x - a NULL pointer.

Broken code (simplified)

if (chan->band == NL80211_BAND_5GHZ)
    ht_supported = bss_conf->ht_supported;
    // ... etc.

With MLO, chan could be NULL, so chan->band *crashes*.

The Fix

The patch changes the band capability checks to always use the right station data, which is guaranteed valid in MLO:

// Instead of vif->bss_conf, use sta->deflink->... for cap checks
ht_supported = sta->deflink.ht_cap.ht_supported;
vht_supported = sta->deflink.vht_cap.vht_supported;
has_he = sta->deflink.he_cap.has_he;
has_eht = sta->deflink.eht_cap.has_eht;

Reference patch:
- Upstream commit: mac80211: fix NULL dereference at band check in starting tx ba session
- LKML Discussion

Who Can Exploit?

- Any local user or process with permission to interact with affected Wi-Fi devices can “poke” this, including:
- Systemd/NetworkManager

Custom scripts that manipulate Wi-Fi interfaces

- Malicious unprivileged code on user’s own system (since it doesn’t require root if network interface management is allowed)

What Happens?

- Kernel Panic / Oops: The bug crashes the Linux kernel, resulting in denial-of-service.
- No Elevation/Arbitrary Code: There’s no known path to run code as root, just crash the machine, so risk is mostly DoS.

Simple Proof-of-Concept

A "trigger" can be as simple as bringing up an MLO-configured interface with an MLO router and rtw89 (or similar) driver.

# WARNING: May crash your kernel – do not run on production!
nmcli dev wifi connect <mlo_router_ssid> --device <wifi_iface>

Or using iw

iw dev wlan connect <SSID> freq 518 mlo

If you see a kernel panic mentioning ieee80211_start_tx_ba_session, you're hitting the bug.

Patched: May 22, 2024 (in mainline)

- Linux Affected: 6.4 to 6.9 (mainly with MLO/hardware/driver support; older kernels unaffected)

Mitigation

- Upgrade your kernel: Apply latest mainline or stable kernel with the patch. (e.g., 6.9.1 or with backport)

Avoid enabling MLO (as a workaround, if you cannot update yet)

- Disallow unprivileged local users from adding/managing Wi-Fi devices

Additional Reading

- Official Kernel Patch Commit
- Linux Kernel Documentation—mac80211
- CVE-2024-43911 at cve.org
- MLO Overview (Intel)

Conclusion

CVE-2024-43911 is a textbook case of how new wireless protocol complexity (Wi-Fi 7, MLO) can break old “safe” assumptions, leading to kernel crashes. If you’re running modern Linux with bleeding-edge Wi-Fi support, get patched!

For security teams and sysadmins: monitor kernel updates closely when deploying new wireless gear.

Summary Table

| Attribute | Details |
|-------------------|-----------------------------------------------|
| CVE | CVE-2024-43911 |
| Component | mac80211 (Linux Wi-Fi stack) |
| Impact | Denial of Service (kernel crash) |
| Attack Vector | Local (triggers Wi-Fi MLO BA session startup) |
| Patched | Yes (May 2024) |
| Requires Update | Yes (kernel update recommended) |

Stay safe, and always test kernel updates with your wireless stack!

*This post was written based on exclusive review of public mailing lists, kernel commits, and developer changelogs. No AI-generated or clickbait content here! Copying or rehosting? Please credit original authors and kernel.org.*

Timeline

Published on: 08/26/2024 11:15:05 UTC
Last modified on: 08/27/2024 16:08:52 UTC