CVE-2024-50237: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50237 is a vulnerability in the Linux kernel's mac80211 WiFi subsystem, discovered and disclosed on November 9, 2024. The vulnerability affects the transmission power reporting functionality in the WiFi driver interface, specifically in the .get_txpower operation. The issue impacts multiple versions of the Linux kernel, from version 3.19 through versions 4.19.323, 5.4.285, 5.10.229, and 5.15.171 (NVD).

The vulnerability stems from passing a stopped virtual interface (vif) to the driver in the .get_txpower function, which could lead to accessing uninitialized private data. This issue was introduced by commit 5b3dc42b1b0d which added support for driver tx power reporting. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is to availability (NVD).

The vulnerability can potentially cause the system to crash due to accessing uninitialized private data in the WiFi driver when attempting to retrieve transmission power information. This creates a stability risk for affected systems, particularly impacting the availability of WiFi functionality (Kernel Patch).

The vulnerability has been patched in the Linux kernel with a fix that adds a check to verify if the virtual interface is properly initialized before passing it to the driver. The patch has been backported to multiple stable kernel versions. Users should update to the fixed kernel versions: 4.19.323 or later, 5.4.285 or later, 5.10.229 or later, or 5.15.171 or later (NVD).