{"api_version":"1","generated_at":"2026-05-12T18:11:29+00:00","cve":"CVE-2024-35811","urls":{"html":"https://cve.report/CVE-2024-35811","api":"https://cve.report/api/cve/CVE-2024-35811.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-35811","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-35811"},"summary":{"title":"wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n  ->brcmf_usb_probe_cb\n    ->brcmf_attach\n      ->brcmf_bus_started\n        ->brcmf_cfg80211_attach\n          ->wl_init_priv\n            ->brcmf_init_escan\n              ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t  brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n  ->brcmf_usb_disconnect_cb\n    ->brcmf_detach\n      ->brcmf_cfg80211_detach\n        ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]","state":"PUBLISHED","assigner":"Linux","published_at":"2024-05-17 14:15:15","updated_at":"2026-05-12 12:16:36"},"problem_types":["CWE-416"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb","name":"https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731","name":"https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78","name":"https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a","name":"https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa","name":"https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744","name":"https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169","name":"https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a","name":"https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1","name":"https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","name":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-35811","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35811","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 202c503935042272e2f9e1bb549d5f69a8681169 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 bacb8c3ab86dcd760c15903fcee58169bc3026aa git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 8c36205123dc57349b59b4f1a2301eb278cbc731 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 0b812f706fd7090be74812101114a0e165b36744 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 190794848e2b9d15de92d502b6ac652806904f5a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 6678a1e7d896c00030b31491690e8ddc9a90767a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 0a7591e14a8da794d0b93b5d1c6254ccb23adacb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e756af5b30b008f6ffcfebf8ad0b477f6f225b62 0f7352557a35ab7888bc7831411ec8a3cbe20d78 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.7","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.312 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.274 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.215 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.154 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.84 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.24 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.7.12 6.7.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8.3 6.8.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.9 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"35811","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-02T03:21:47.516Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb"},{"tags":["x_transferred"],"url":"https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"tags":["x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2024-35811","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-09-10T15:42:35.275433Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-09-11T17:32:51.552Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T11:52:09.242Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"202c503935042272e2f9e1bb549d5f69a8681169","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"},{"lessThan":"8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"},{"lessThan":"bacb8c3ab86dcd760c15903fcee58169bc3026aa","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"},{"lessThan":"8c36205123dc57349b59b4f1a2301eb278cbc731","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"},{"lessThan":"0b812f706fd7090be74812101114a0e165b36744","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"},{"lessThan":"190794848e2b9d15de92d502b6ac652806904f5a","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"},{"lessThan":"6678a1e7d896c00030b31491690e8ddc9a90767a","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"},{"lessThan":"0a7591e14a8da794d0b93b5d1c6254ccb23adacb","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"},{"lessThan":"0f7352557a35ab7888bc7831411ec8a3cbe20d78","status":"affected","version":"e756af5b30b008f6ffcfebf8ad0b477f6f225b62","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.7"},{"lessThan":"3.7","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.312","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.274","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.215","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.154","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.84","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.24","versionType":"semver"},{"lessThanOrEqual":"6.7.*","status":"unaffected","version":"6.7.12","versionType":"semver"},{"lessThanOrEqual":"6.8.*","status":"unaffected","version":"6.8.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.9","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.312","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.274","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.215","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.154","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.84","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.24","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.7.12","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.8.3","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.9","versionStartIncluding":"3.7","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n  ->brcmf_usb_probe_cb\n    ->brcmf_attach\n      ->brcmf_bus_started\n        ->brcmf_cfg80211_attach\n          ->wl_init_priv\n            ->brcmf_init_escan\n              ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t  brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n  ->brcmf_usb_disconnect_cb\n    ->brcmf_detach\n      ->brcmf_cfg80211_detach\n        ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]"}],"providerMetadata":{"dateUpdated":"2026-05-11T20:11:29.087Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169"},{"url":"https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1"},{"url":"https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa"},{"url":"https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731"},{"url":"https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744"},{"url":"https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a"},{"url":"https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a"},{"url":"https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb"},{"url":"https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78"}],"title":"wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-35811","datePublished":"2024-05-17T13:23:17.508Z","dateReserved":"2024-05-17T12:19:12.342Z","dateUpdated":"2026-05-12T11:52:09.242Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-05-17 14:15:15","lastModifiedDate":"2026-05-12 12:16:36","problem_types":["CWE-416"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"4.19.312","matchCriteriaId":"48A978A1-082D-4FD8-B0A8-15D857F7935B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.274","matchCriteriaId":"F45A0F3C-C16D-49C4-86D6-D021C3D4B834"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.215","matchCriteriaId":"9CD5894E-58E9-4B4A-B0F4-3E6BC134B8F5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.154","matchCriteriaId":"577E212E-7E95-4A71-9B5C-F1D1A3AFFF46"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.84","matchCriteriaId":"834D9BD5-42A6-4D74-979E-4D6D93F630FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.24","matchCriteriaId":"8018C1D0-0A5F-48D0-BC72-A2B33FDDA693"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.12","matchCriteriaId":"6BE9771A-BAFD-4624-95F9-58D536540C53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.8.3","matchCriteriaId":"4C59BBC3-6495-4A77-9C82-55EC7CDF5E02"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"35811","Ordinal":"1","Title":"wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach","CVE":"CVE-2024-35811","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"35811","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n  ->brcmf_usb_probe_cb\n    ->brcmf_attach\n      ->brcmf_bus_started\n        ->brcmf_cfg80211_attach\n          ->wl_init_priv\n            ->brcmf_init_escan\n              ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t  brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n  ->brcmf_usb_disconnect_cb\n    ->brcmf_detach\n      ->brcmf_cfg80211_detach\n        ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]","Type":"Description","Title":"wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach"}]}}}