Bottlerocket: bottlerocket-kernel-5.15, kernel-5.15: security update to 5.15.182

medium Tenable Cloud Security Plugin ID 428161

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: avoid NULL pointer error
during sdio remove When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by
destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call
trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c
device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod
ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue().
wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct
cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio
workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.
After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace:
ath10k_sdio_remove ->ath10k_core_unregister …… ->ath10k_core_stop ->ath10k_hif_stop
->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer)
->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free …… ->wiphy_dev_release
->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue
buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error
path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and
ath10k_core_destroy() is called. Based on the call_stack above, the reason is: Only
ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and ath10k_sdio_irq_disable() will queue work
on sdio workqueue. Sleep timer will be deleted before ath10k_core_destroy() in ath10k_hif_power_down().
ath10k_sdio_irq_disable() only be called in ath10k_hif_stop(). ath10k_core_unregister() will call
ath10k_hif_power_down() to stop hif bus, so ath10k_sdio_hif_tx_sg() won't be called anymore. Tested-on:
QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189 (CVE-2024-56599)

Plugin Details

Severity: Medium

ID: 428161

Version: Revision 1.2

Type: Local

Published: 6/30/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2024-56599

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/27/2024

Reference Information

CVE: CVE-2024-56599