LiveActive security incident?Get immediate response
CVE Record

CVE-2024-40912: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from softirq context. However using only spin_lock() to get sta->ps_lock in ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to take this same lock ending in deadlock. Below is an example of rcu stall that arises in such situation. rcu: INFO: rcu_sched self-detected stall on CPU rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996 rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4) CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742 Hardware name: RPT (r1) (DT) pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : queued_spin_lock_slowpath+0x58/0x2d0 lr : invoke_tx_handlers_early+0x5b4/0x5c0 sp : ffff00001ef64660 x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8 x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000 x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000 x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000 x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80 x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440 x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880 x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8 Call trace: queued_spin_lock_slowpath+0x58/0x2d0 ieee80211_tx+0x80/0x12c ieee80211_tx_pending+0x110/0x278 tasklet_action_common.constprop.0+0x10c/0x144 tasklet_action+0x20/0x28 _stext+0x11c/0x284 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 do_softirq+0x74/0x7c __local_bh_enable_ip+0xa0/0xa4 _ieee80211_wake_txqs+0x3b0/0x4b8 __ieee80211_wake_queue+0x12c/0x168 ieee80211_add_pending_skbs+0xec/0x138 ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480 ieee80211_mps_sta_status_update.part.0+0xd8/0x11c ieee80211_mps_sta_status_update+0x18/0x24 sta_apply_parameters+0x3bc/0x4c0 ieee80211_change_station+0x1b8/0x2dc nl80211_set_station+0x444/0x49c genl_family_rcv_msg_doit.isra.0+0xa4/0xfc genl_rcv_msg+0x1b0/0x244 netlink_rcv_skb+0x38/0x10c genl_rcv+0x34/0x48 netlink_unicast+0x254/0x2bc netlink_sendmsg+0x190/0x3b4 ____sys_sendmsg+0x1e8/0x218 ___sys_sendmsg+0x68/0x8c __sys_sendmsg+0x44/0x84 __arm64_sys_sendmsg+0x20/0x28 do_el0_svc+0x6c/0xe8 el0_svc+0x14/0x48 el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x14c/0x150 Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise on the same CPU that is holding the lock.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-40912 is a Linux kernel Wi-Fi mac80211 locking bug. Under power-save wakeup handling, the kernel can deadlock itself and trigger RCU stalls, disrupting wireless networking or the host. The sources do not provide CVSS, privilege requirements, or active exploitation evidence, so urgency depends on whether affected Linux kernels with mac80211 Wi-Fi are deployed.

Executive priority

Treat this as an availability risk for Linux Wi-Fi and embedded/OT environments. It is not marked as exploited in KEV, and severity data is missing, but deadlocks in kernel networking can cause operational disruption. Prioritize patch verification where wireless Linux systems support business or plant operations.

Technical view

The bug is in ieee80211_sta_ps_deliver_wakeup(): it used spin_lock while synchronizing with softirq-context ieee80211_tx_h_unicast_ps_buf(). A softirq on the same CPU could attempt the same sta->ps_lock, causing deadlock. The upstream fix uses spin_lock_bh()/spin_unlock_bh() to block softirqs while holding the lock.

Likely exposure

Exposure is most relevant to Linux systems using affected kernel versions with mac80211-based Wi-Fi. The bundle lists Linux 3.14 through 6.10 and several stable commits as affected context, with Debian LTS and Siemens advisories referenced. Systems without Wi-Fi/mac80211 use are less likely to be exposed.

Exploitation context

The provided bundle does not show active exploitation, KEV inclusion, proof-of-concept availability, or attacker prerequisites. The described outcome is a kernel deadlock/RCU stall, indicating availability impact rather than confirmed code execution or data exposure.

Researcher notes

Evidence supports a local kernel synchronization flaw in mac80211 power-save wakeup handling. The source bundle includes the failure trace and fix rationale but lacks CVSS, CWE, exploitability details, and confirmed affected downstream products beyond referenced advisories. Avoid assuming remote triggerability without vendor or researcher evidence.

Mitigation direction

  • Apply Linux kernel stable updates containing the referenced mac80211 fix.
  • Check Debian, Siemens, or other vendor advisories for supported package updates.
  • Prioritize systems using Wi-Fi, embedded Linux, or operational technology appliances.
  • Where patching is delayed, assess whether affected Wi-Fi functionality can be reduced.
  • Track vendor guidance because no standalone workaround is named in the bundle.

Validation and detection

  • Inventory Linux kernel versions across Wi-Fi-capable systems and appliances.
  • Confirm whether mac80211-based wireless drivers are enabled or loaded.
  • Compare deployed kernels against vendor fixed releases and referenced stable commits.
  • Review logs for RCU stalls or deadlock symptoms around wireless power-save activity.
  • Verify patched systems include the spin_lock_bh locking change.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-40912 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
12Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1d147bfa64293b2723c4fec50922168658e613ba, 1d147bfa64293b2723c4fec50922168658e613ba, 1d147bfa64293b2723c4fec50922168658e613ba, 1d147bfa64293b2723c4fec50922168658e613ba, 1d147bfa64293b2723c4fec50922168658e613ba, 1d147bfa64293b2723c4fec50922168658e613ba, 1d147bfa64293b2723c4fec50922168658e613ba, 1d147bfa64293b2723c4fec50922168658e613ba, ad64b463d919a18be70b281efb135231169caf4a, 46a5a5493360f995b834eb3b828eb59da4604509, a7ee1a84a81555b19ec3d02f104bfd70cf0b668a, 58d4310586466840dab77e56e53f4508853a5268, fcb6d3c79824d350893edfa7b50d6ba1f670c4ecunaffected
LinuxLinux3.14, 0, 4.19.317, 5.4.279, 5.10.221, 5.15.162, 6.1.95, 6.6.35, 6.9.6, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.