{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-43911", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-17T09:11:59.295Z", "datePublished": "2024-08-26T10:11:15.545Z", "dateUpdated": "2026-05-11T20:32:09.574Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:32:09.574Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\n\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\n\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n 0:\tf7 e8 \timul %eax\n 2:\td5 \t(bad)\n 3:\t93 \txchg %eax,%ebx\n 4:\t3e ea \tds (bad)\n 6:\t48 83 c4 28 \tadd $0x28,%rsp\n a:\t89 d8 \tmov %ebx,%eax\n c:\t5b \tpop %rbx\n d:\t41 5c \tpop %r12\n f:\t41 5d \tpop %r13\n 11:\t41 5e \tpop %r14\n 13:\t41 5f \tpop %r15\n 15:\t5d \tpop %rbp\n 16:\tc3 \tretq\n 17:\tcc \tint3\n 18:\tcc \tint3\n 19:\tcc \tint3\n 1a:\tcc \tint3\n 1b:\t49 8b 84 24 e0 f1 ff \tmov -0xe20(%r12),%rax\n 22:\tff\n 23:\t48 8b 80 90 1b 00 00 \tmov 0x1b90(%rax),%rax\n 2a:*\t83 38 03 \tcmpl $0x3,(%rax)\t\t<-- trapping instruction\n 2d:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe6a\n 33:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n 38:\teb cc \tjmp 0x6\n 3a:\t49 \trex.WB\n 3b:\t8b \t.byte 0x8b\n 3c:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 3f:\tf3 \trepz\n\nCode starting with the faulting instruction\n===========================================\n 0:\t83 38 03 \tcmpl $0x3,(%rax)\n 3:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe40\n 9:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n e:\teb cc \tjmp 0xffffffffffffffdc\n 10:\t49 \trex.WB\n 11:\t8b \t.byte 0x8b\n 12:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 15:\tf3 \trepz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] <TASK>\n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/agg-tx.c"], "versions": [{"version": "6092077ad09ce880c61735c314060f0bd79ae4aa", "lessThan": "a5594c1e03b0df3908b1e1202a1ba34422eed0f6", "status": "affected", "versionType": "git"}, {"version": "6092077ad09ce880c61735c314060f0bd79ae4aa", "lessThan": "021d53a3d87eeb9dbba524ac515651242a2a7e3b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/agg-tx.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.5", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.10.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6"}, {"url": "https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b"}], "title": "wifi: mac80211: fix NULL dereference at band check in starting tx ba session", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43911", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:28:15.382346Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:32:56.586Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:07:16.250Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:07:16.250Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43911", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:28:15.382346Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:12.376Z"}}], "cna": {"title": "wifi: mac80211: fix NULL dereference at band check in starting tx ba session", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6092077ad09ce880c61735c314060f0bd79ae4aa", "lessThan": "a5594c1e03b0df3908b1e1202a1ba34422eed0f6", "versionType": "git"}, {"status": "affected", "version": "6092077ad09ce880c61735c314060f0bd79ae4aa", "lessThan": "021d53a3d87eeb9dbba524ac515651242a2a7e3b", "versionType": "git"}], "programFiles": ["net/mac80211/agg-tx.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.9"}, {"status": "unaffected", "version": "0", "lessThan": "6.9", "versionType": "semver"}, {"status": "unaffected", "version": "6.10.5", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/mac80211/agg-tx.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6"}, {"url": "https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\n\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\n\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n 0:\tf7 e8 \timul %eax\n 2:\td5 \t(bad)\n 3:\t93 \txchg %eax,%ebx\n 4:\t3e ea \tds (bad)\n 6:\t48 83 c4 28 \tadd $0x28,%rsp\n a:\t89 d8 \tmov %ebx,%eax\n c:\t5b \tpop %rbx\n d:\t41 5c \tpop %r12\n f:\t41 5d \tpop %r13\n 11:\t41 5e \tpop %r14\n 13:\t41 5f \tpop %r15\n 15:\t5d \tpop %rbp\n 16:\tc3 \tretq\n 17:\tcc \tint3\n 18:\tcc \tint3\n 19:\tcc \tint3\n 1a:\tcc \tint3\n 1b:\t49 8b 84 24 e0 f1 ff \tmov -0xe20(%r12),%rax\n 22:\tff\n 23:\t48 8b 80 90 1b 00 00 \tmov 0x1b90(%rax),%rax\n 2a:*\t83 38 03 \tcmpl $0x3,(%rax)\t\t<-- trapping instruction\n 2d:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe6a\n 33:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n 38:\teb cc \tjmp 0x6\n 3a:\t49 \trex.WB\n 3b:\t8b \t.byte 0x8b\n 3c:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 3f:\tf3 \trepz\n\nCode starting with the faulting instruction\n===========================================\n 0:\t83 38 03 \tcmpl $0x3,(%rax)\n 3:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe40\n 9:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n e:\teb cc \tjmp 0xffffffffffffffdc\n 10:\t49 \trex.WB\n 11:\t8b \t.byte 0x8b\n 12:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 15:\tf3 \trepz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] <TASK>\n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.10.5", "versionStartIncluding": "6.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.11", "versionStartIncluding": "6.9"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:32:09.574Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43911", "state": "PUBLISHED", "dateUpdated": "2026-05-11T20:32:09.574Z", "dateReserved": "2024-08-17T09:11:59.295Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-26T10:11:15.545Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4CB0927-C720-465B-99F2-3E47215515F2", "versionEndExcluding": "6.10.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\n\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\n\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n 0:\tf7 e8 \timul %eax\n 2:\td5 \t(bad)\n 3:\t93 \txchg %eax,%ebx\n 4:\t3e ea \tds (bad)\n 6:\t48 83 c4 28 \tadd $0x28,%rsp\n a:\t89 d8 \tmov %ebx,%eax\n c:\t5b \tpop %rbx\n d:\t41 5c \tpop %r12\n f:\t41 5d \tpop %r13\n 11:\t41 5e \tpop %r14\n 13:\t41 5f \tpop %r15\n 15:\t5d \tpop %rbp\n 16:\tc3 \tretq\n 17:\tcc \tint3\n 18:\tcc \tint3\n 19:\tcc \tint3\n 1a:\tcc \tint3\n 1b:\t49 8b 84 24 e0 f1 ff \tmov -0xe20(%r12),%rax\n 22:\tff\n 23:\t48 8b 80 90 1b 00 00 \tmov 0x1b90(%rax),%rax\n 2a:*\t83 38 03 \tcmpl $0x3,(%rax)\t\t<-- trapping instruction\n 2d:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe6a\n 33:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n 38:\teb cc \tjmp 0x6\n 3a:\t49 \trex.WB\n 3b:\t8b \t.byte 0x8b\n 3c:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 3f:\tf3 \trepz\n\nCode starting with the faulting instruction\n===========================================\n 0:\t83 38 03 \tcmpl $0x3,(%rax)\n 3:\t0f 84 37 fe ff ff \tje 0xfffffffffffffe40\n 9:\tbb ea ff ff ff \tmov $0xffffffea,%ebx\n e:\teb cc \tjmp 0xffffffffffffffdc\n 10:\t49 \trex.WB\n 11:\t8b \t.byte 0x8b\n 12:\t84 24 10 \ttest %ah,(%rax,%rdx,1)\n 15:\tf3 \trepz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] <TASK>\n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mac80211: corrige la desreferencia NULL al comprobar la banda al iniciar la sesi\u00f3n tx ba En la conexi\u00f3n MLD, link_data/link_conf se asignan din\u00e1micamente. No apuntan a vif-&gt;bss_conf. Entonces, no habr\u00e1 ning\u00fan chanreq asignado a vif-&gt;bss_conf y luego el chan ser\u00e1 NULL. Modifique el c\u00f3digo para verificar ht_supported/vht_supported/has_he/has_eht en sta deflink. Registro de fallos (con la versi\u00f3n rtw89 bajo desarrollo MLO): [9890.526087] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000000 [9890.526102] #PF: acceso de lectura del supervisor en modo kernel [9890.526105] #PF: error_code(0x0000) - no presente p\u00e1gina [ 9890.526109] PGD 0 P4D 0 [ 9890.526114] Ups: 0000 [#1] PREEMPT SMP PTI [ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: cargado Contaminado: G OE 6.9.0 #1 [ 0010: ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminador 1)) mac80211 [ 9890.526279] C\u00f3digo: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 &lt;83&gt; 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3 Todo el c\u00f3digo ======== 0: f7 e8 imul %eax 2: d5 (malo) 3: 93 xchg %eax,%ebx 4: 3e ea ds (malo) 6: 48 83 c4 28 add $0x28,%rsp a: 89 d8 mov %ebx,%eax c: 5b pop %rbx d: 41 5c pop %r12 f: 41 5d pop %r13 11: 41 5e pop %r14 13: 41 5f pop %r15 15: 5d pop %rbp 16: c3 retq 17: cc int3 18: cc int3 19: cc int3 1a: cc int3 1b : 49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax 22: ff 23: 48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax 2a:* 83 38 03 cmpl $0x3,( %rax) &lt;-- instrucci\u00f3n de captura 2d: 0f 84 37 fe ff ff je 0xfffffffffffffe6a 33: bb ea ff ff ff mov $0xffffffea,%ebx 38: eb cc jmp 0x6 3a: 49 rex.WB 3b: 8b .byte 0x8b 3c : 84 24 10 test %ah,(%rax,%rdx,1) 3f: f3 repz C\u00f3digo que comienza con la instrucci\u00f3n err\u00f3nea ======================== ==================== 0: 83 38 03 cmpl $0x3,(%rax) 3: 0f 84 37 fe ff ff je 0xfffffffffffffe40 9: bb ea ff ff mov $0xffffffea,%ebx e: eb cc jmp 0xffffffffffffffdc 10: 49 rex.WB 11: 8b .byte 0x8b 12: 84 24 10 prueba %ah,(%rax,%rdx,1) 15: f3 repz [ 9890.526285] RSP : 0018:ffffb8db09013d68 EFLAGS: 00010246 [ 9890.526291] RAX: 0000000000000000 RBX: 00000000000000000 RCX: ffff9308e0d656c8 [ 9890.526295] X: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685 [ 9890.526300] RBP: ffffb8db09013db8 R08: 00000000000000000 R09: 0000000000000873 [ 9 890.526304] R10: ffff9308e0d64800 R11 : 000000000000000002 R12: FFFF9308E5FF6E70 [9890.526308] R13: FFFF930952500E20 R14: FFFF9309192A8C00 R15: 000000000000000000 [9890.526313] 4E700000 (0000) KNLGS: 000000000000000000 [9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 00000080050033 [ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0 [ 9890.526321] Seguimiento de llamadas: [ 9890.526324] [ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479) [9890.526335]? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713) [9890.526347]? search_module_extables (kernel/module/main.c:3256 (discriminador ---truncado---"}], "id": "CVE-2024-43911", "lastModified": "2025-11-03T22:18:21.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-26T11:15:05.227", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/021d53a3d87eeb9dbba524ac515651242a2a7e3b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a5594c1e03b0df3908b1e1202a1ba34422eed0f6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: wifi: mac80211: fix NULL dereference at band check in starting tx ba session", "id": "2307884", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307884"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: mac80211: fix NULL dereference at band check in starting tx ba session\nIn MLD connection, link_data/link_conf are dynamically allocated. They\ndon't point to vif->bss_conf. So, there will be no chanreq assigned to\nvif->bss_conf and then the chan will be NULL. Tweak the code to check\nht_supported/vht_supported/has_he/has_eht on sta deflink.\nCrash log (with rtw89 version under MLO development):\n[ 9890.526087] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 9890.526102] #PF: supervisor read access in kernel mode\n[ 9890.526105] #PF: error_code(0x0000) - not-present page\n[ 9890.526109] PGD 0 P4D 0\n[ 9890.526114] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 9890.526119] CPU: 2 PID: 6367 Comm: kworker/u16:2 Kdump: loaded Tainted: G OE 6.9.0 #1\n[ 9890.526123] Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB3WW (2.73 ) 11/28/2018\n[ 9890.526126] Workqueue: phy2 rtw89_core_ba_work [rtw89_core]\n[ 9890.526203] RIP: 0010:ieee80211_start_tx_ba_session (net/mac80211/agg-tx.c:618 (discriminator 1)) mac80211\n[ 9890.526279] Code: f7 e8 d5 93 3e ea 48 83 c4 28 89 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 49 8b 84 24 e0 f1 ff ff 48 8b 80 90 1b 00 00 <83> 38 03 0f 84 37 fe ff ff bb ea ff ff ff eb cc 49 8b 84 24 10 f3\nAll code\n========\n0:f7 e8 imul %eax\n2:d5 (bad)\n3:93 xchg %eax,%ebx\n4:3e ea ds (bad)\n6:48 83 c4 28 add $0x28,%rsp\na:89 d8 mov %ebx,%eax\nc:5b pop %rbx\nd:41 5c pop %r12\nf:41 5d pop %r13\n11:41 5e pop %r14\n13:41 5f pop %r15\n15:5d pop %rbp\n16:c3 retq\n17:cc int3\n18:cc int3\n19:cc int3\n1a:cc int3\n1b:49 8b 84 24 e0 f1 ff mov -0xe20(%r12),%rax\n22:ff\n23:48 8b 80 90 1b 00 00 mov 0x1b90(%rax),%rax\n2a:*83 38 03 cmpl $0x3,(%rax)<-- trapping instruction\n2d:0f 84 37 fe ff ff je 0xfffffffffffffe6a\n33:bb ea ff ff ff mov $0xffffffea,%ebx\n38:eb cc jmp 0x6\n3a:49 rex.WB\n3b:8b .byte 0x8b\n3c:84 24 10 test %ah,(%rax,%rdx,1)\n3f:f3 repz\nCode starting with the faulting instruction\n===========================================\n0:83 38 03 cmpl $0x3,(%rax)\n3:0f 84 37 fe ff ff je 0xfffffffffffffe40\n9:bb ea ff ff ff mov $0xffffffea,%ebx\ne:eb cc jmp 0xffffffffffffffdc\n10:49 rex.WB\n11:8b .byte 0x8b\n12:84 24 10 test %ah,(%rax,%rdx,1)\n15:f3 repz\n[ 9890.526285] RSP: 0018:ffffb8db09013d68 EFLAGS: 00010246\n[ 9890.526291] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9308e0d656c8\n[ 9890.526295] RDX: 0000000000000000 RSI: ffffffffab99460b RDI: ffffffffab9a7685\n[ 9890.526300] RBP: ffffb8db09013db8 R08: 0000000000000000 R09: 0000000000000873\n[ 9890.526304] R10: ffff9308e0d64800 R11: 0000000000000002 R12: ffff9308e5ff6e70\n[ 9890.526308] R13: ffff930952500e20 R14: ffff9309192a8c00 R15: 0000000000000000\n[ 9890.526313] FS: 0000000000000000(0000) GS:ffff930b4e700000(0000) knlGS:0000000000000000\n[ 9890.526316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 9890.526318] CR2: 0000000000000000 CR3: 0000000391c58005 CR4: 00000000001706f0\n[ 9890.526321] Call Trace:\n[ 9890.526324] <TASK>\n[ 9890.526327] ? show_regs (arch/x86/kernel/dumpstack.c:479)\n[ 9890.526335] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n[ 9890.526340] ? page_fault_oops (arch/x86/mm/fault.c:713)\n[ 9890.526347] ? search_module_extables (kernel/module/main.c:3256 (discriminator\n---truncated---"], "name": "CVE-2024-43911", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-43911\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-43911\nhttps://lore.kernel.org/linux-cve-announce/2024082631-CVE-2024-43911-96bb@gregkh/T"], "threat_severity": "Moderate"}

{}