{"id":"CVE-2024-35811","summary":"wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n-\u003ebrcmf_usb_probe\n -\u003ebrcmf_usb_probe_cb\n -\u003ebrcmf_attach\n -\u003ebrcmf_bus_started\n -\u003ebrcmf_cfg80211_attach\n -\u003ewl_init_priv\n -\u003ebrcmf_init_escan\n -\u003eINIT_WORK(&cfg-\u003eescan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n -\u003ebrcmf_usb_disconnect_cb\n -\u003ebrcmf_detach\n -\u003ebrcmf_cfg80211_detach\n -\u003ekfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]","modified":"2026-04-02T11:51:13.462296Z","published":"2024-05-17T13:23:17.508Z","related":["SUSE-SU-2024:1979-1","SUSE-SU-2024:1983-1","SUSE-SU-2024:2008-1","SUSE-SU-2024:2010-1","SUSE-SU-2024:2011-1","SUSE-SU-2024:2019-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2183-1","SUSE-SU-2024:2184-1","SUSE-SU-2024:2185-1","SUSE-SU-2024:2189-1","SUSE-SU-2024:2190-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:01995-1","SUSE-SU-2025:0231-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20249-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35811.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78"},{"type":"WEB","url":"https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35811.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35811"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62"},{"fixed":"202c503935042272e2f9e1bb549d5f69a8681169"},{"fixed":"8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1"},{"fixed":"bacb8c3ab86dcd760c15903fcee58169bc3026aa"},{"fixed":"8c36205123dc57349b59b4f1a2301eb278cbc731"},{"fixed":"0b812f706fd7090be74812101114a0e165b36744"},{"fixed":"190794848e2b9d15de92d502b6ac652806904f5a"},{"fixed":"6678a1e7d896c00030b31491690e8ddc9a90767a"},{"fixed":"0a7591e14a8da794d0b93b5d1c6254ccb23adacb"},{"fixed":"0f7352557a35ab7888bc7831411ec8a3cbe20d78"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35811.json"}}],"schema_version":"1.7.5"}