Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   OS (Linux)  >   Linux Kernel Vendors:
Linux Kernel Buffer Overflow in brcmf_cfg80211_mgmt_tx() Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1038981
SecurityTracker URL:
CVE Reference:   CVE-2017-7541   (Links to External Site)
Date:  Jul 25 2017
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the Linux kernel. A local user can obtain elevated privileges on the target system.

A local user can send a specially crafted NL80211_CMD_FRAME packet via netlink to trigger a buffer overflow in the brcmf_cfg80211_mgmt_tx() function and execute arbitrary code on the target system.

Stanislaw Gruszka reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   The vendor has issued a source code fix, available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error

Message History:   None.

 Source Message Contents

Date:  Mon, 24 Jul 2017 09:53:39 -0400 (EDT)
Subject:  [oss-security] CVE-2017-7541: Linux kernel: Memory corruption due to a buffer overflow in brcmf_cfg80211_mgmt_tx()


Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx()
function in Linux kernels from v3.9-rc1 to v4.13-rc1. It can be triggered by sending
crafted NL80211_CMD_FRAME packet via netlink.

There was a research if this flaw could be triggered remotely, by sending packets on
the air, the result follows:

RX notification is regarding event send to a userspace program, which is
usually the "wpa_supplicant" or "hostapd". The userspace can register
in kernel via NL80211_CMD_REGISTER_FRAME to pass management frames to it.
This flaw would be remote exploitable if a userspace program registers to
receive some management frames and then pass it back to a kernel without
a modification. I'm not sure if any user space program do that, I think
"hostapd" or "wpa_supplicant" don't, but to be sure, it will require to
fully analyze theirs source code.
(Stanislaw Gruszka <>)

So, this flaw is unlikely to be triggered remotely, as certain userspace code is needed
for this. An unprivileged local user could use this flaw to induce kernel memory corruption
on the system, leading to a crash. Due to the nature of the flaw, privilege escalation
cannot be fully ruled out, although we believe it is unlikely.



Upstream patch:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC