CVE-2025-21910 (GCVE-0-2025-21910)
Vulnerability from cvelistv5
Published
2025-04-01 15:40
Modified
2025-05-04 07:24
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons. 1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters. 2) While processing a user regulatory request, between reg_process_hint_user() and regulatory_hint_user() there happens to be a call to queue_regulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[]. Syzbot triggers a warning in is_user_regdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check. Prevent this by enhancing is_an_alpha2() to ensure that incoming symbols are latin letters and nothing else. [1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient crda_timeout_work RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/17aa34c84867f6cd181a5743e1c647e7766962a6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/35ef07112b61b06eb30683a6563c9f6378c02476
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/59b348be7597c4a9903cb003c69e37df20c04a30
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6a5e3b23054cee3b92683d1467e3fa83921f5622
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/be7c5f00aa7f1344293e4d48d0e12be83a2f223d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/da3f599517ef2ea851208df3229d07728d238dc5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f4112cb477c727a65787a4065a75ca593bb5b2f4
Impacted products
Vendor Product Version
Linux Linux Version: 09d989d179d0c679043556dda77c51b41a2dae7e
Version: 09d989d179d0c679043556dda77c51b41a2dae7e
Version: 09d989d179d0c679043556dda77c51b41a2dae7e
Version: 09d989d179d0c679043556dda77c51b41a2dae7e
Version: 09d989d179d0c679043556dda77c51b41a2dae7e
Version: 09d989d179d0c679043556dda77c51b41a2dae7e
Version: 09d989d179d0c679043556dda77c51b41a2dae7e
Version: 09d989d179d0c679043556dda77c51b41a2dae7e
 Create a notification for this product.
   Linux Linux Version: 2.6.34
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/reg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6",
              "status": "affected",
              "version": "09d989d179d0c679043556dda77c51b41a2dae7e",
              "versionType": "git"
            },
            {
              "lessThan": "da3f599517ef2ea851208df3229d07728d238dc5",
              "status": "affected",
              "version": "09d989d179d0c679043556dda77c51b41a2dae7e",
              "versionType": "git"
            },
            {
              "lessThan": "6a5e3b23054cee3b92683d1467e3fa83921f5622",
              "status": "affected",
              "version": "09d989d179d0c679043556dda77c51b41a2dae7e",
              "versionType": "git"
            },
            {
              "lessThan": "f4112cb477c727a65787a4065a75ca593bb5b2f4",
              "status": "affected",
              "version": "09d989d179d0c679043556dda77c51b41a2dae7e",
              "versionType": "git"
            },
            {
              "lessThan": "35ef07112b61b06eb30683a6563c9f6378c02476",
              "status": "affected",
              "version": "09d989d179d0c679043556dda77c51b41a2dae7e",
              "versionType": "git"
            },
            {
              "lessThan": "be7c5f00aa7f1344293e4d48d0e12be83a2f223d",
              "status": "affected",
              "version": "09d989d179d0c679043556dda77c51b41a2dae7e",
              "versionType": "git"
            },
            {
              "lessThan": "17aa34c84867f6cd181a5743e1c647e7766962a6",
              "status": "affected",
              "version": "09d989d179d0c679043556dda77c51b41a2dae7e",
              "versionType": "git"
            },
            {
              "lessThan": "59b348be7597c4a9903cb003c69e37df20c04a30",
              "status": "affected",
              "version": "09d989d179d0c679043556dda77c51b41a2dae7e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/reg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: regulatory: improve invalid hints checking\n\nSyzbot keeps reporting an issue [1] that occurs when erroneous symbols\nsent from userspace get through into user_alpha2[] via\nregulatory_hint_user() call. Such invalid regulatory hints should be\nrejected.\n\nWhile a sanity check from commit 47caf685a685 (\"cfg80211: regulatory:\nreject invalid hints\") looks to be enough to deter these very cases,\nthere is a way to get around it due to 2 reasons.\n\n1) The way isalpha() works, symbols other than latin lower and\nupper letters may be used to determine a country/domain.\nFor instance, greek letters will also be considered upper/lower\nletters and for such characters isalpha() will return true as well.\nHowever, ISO-3166-1 alpha2 codes should only hold latin\ncharacters.\n\n2) While processing a user regulatory request, between\nreg_process_hint_user() and regulatory_hint_user() there happens to\nbe a call to queue_regulatory_request() which modifies letters in\nrequest-\u003ealpha2[] with toupper(). This works fine for latin symbols,\nless so for weird letter characters from the second part of _ctype[].\n\nSyzbot triggers a warning in is_user_regdom_saved() by first sending\nover an unexpected non-latin letter that gets malformed by toupper()\ninto a character that ends up failing isalpha() check.\n\nPrevent this by enhancing is_an_alpha2() to ensure that incoming\nsymbols are latin letters and nothing else.\n\n[1] Syzbot report:\n------------[ cut here ]------------\nUnexpected user alpha2: A\ufffd\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\nModules linked in:\nCPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nWorkqueue: events_power_efficient crda_timeout_work\nRIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]\nRIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]\nRIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\n...\nCall Trace:\n \u003cTASK\u003e\n crda_timeout_work+0x27/0x50 net/wireless/reg.c:542\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n kthread+0x2f2/0x390 kernel/kthread.c:389\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:11.580Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6"
        },
        {
          "url": "https://git.kernel.org/stable/c/da3f599517ef2ea851208df3229d07728d238dc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a5e3b23054cee3b92683d1467e3fa83921f5622"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4112cb477c727a65787a4065a75ca593bb5b2f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/35ef07112b61b06eb30683a6563c9f6378c02476"
        },
        {
          "url": "https://git.kernel.org/stable/c/be7c5f00aa7f1344293e4d48d0e12be83a2f223d"
        },
        {
          "url": "https://git.kernel.org/stable/c/17aa34c84867f6cd181a5743e1c647e7766962a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/59b348be7597c4a9903cb003c69e37df20c04a30"
        }
      ],
      "title": "wifi: cfg80211: regulatory: improve invalid hints checking",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21910",
    "datePublished": "2025-04-01T15:40:49.189Z",
    "dateReserved": "2024-12-29T08:45:45.786Z",
    "dateUpdated": "2025-05-04T07:24:11.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21910\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:21.550\",\"lastModified\":\"2025-04-01T20:26:01.990\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: cfg80211: regulatory: improve invalid hints checking\\n\\nSyzbot keeps reporting an issue [1] that occurs when erroneous symbols\\nsent from userspace get through into user_alpha2[] via\\nregulatory_hint_user() call. Such invalid regulatory hints should be\\nrejected.\\n\\nWhile a sanity check from commit 47caf685a685 (\\\"cfg80211: regulatory:\\nreject invalid hints\\\") looks to be enough to deter these very cases,\\nthere is a way to get around it due to 2 reasons.\\n\\n1) The way isalpha() works, symbols other than latin lower and\\nupper letters may be used to determine a country/domain.\\nFor instance, greek letters will also be considered upper/lower\\nletters and for such characters isalpha() will return true as well.\\nHowever, ISO-3166-1 alpha2 codes should only hold latin\\ncharacters.\\n\\n2) While processing a user regulatory request, between\\nreg_process_hint_user() and regulatory_hint_user() there happens to\\nbe a call to queue_regulatory_request() which modifies letters in\\nrequest-\u003ealpha2[] with toupper(). This works fine for latin symbols,\\nless so for weird letter characters from the second part of _ctype[].\\n\\nSyzbot triggers a warning in is_user_regdom_saved() by first sending\\nover an unexpected non-latin letter that gets malformed by toupper()\\ninto a character that ends up failing isalpha() check.\\n\\nPrevent this by enhancing is_an_alpha2() to ensure that incoming\\nsymbols are latin letters and nothing else.\\n\\n[1] Syzbot report:\\n------------[ cut here ]------------\\nUnexpected user alpha2: A\ufffd\\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]\\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]\\nWARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\\nModules linked in:\\nCPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\\nWorkqueue: events_power_efficient crda_timeout_work\\nRIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]\\nRIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]\\nRIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516\\n...\\nCall Trace:\\n \u003cTASK\u003e\\n crda_timeout_work+0x27/0x50 net/wireless/reg.c:542\\n process_one_work kernel/workqueue.c:3229 [inline]\\n process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310\\n worker_thread+0x870/0xd30 kernel/workqueue.c:3391\\n kthread+0x2f2/0x390 kernel/kthread.c:389\\n ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n \u003c/TASK\u003e\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/17aa34c84867f6cd181a5743e1c647e7766962a6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/35ef07112b61b06eb30683a6563c9f6378c02476\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/59b348be7597c4a9903cb003c69e37df20c04a30\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6a5e3b23054cee3b92683d1467e3fa83921f5622\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/be7c5f00aa7f1344293e4d48d0e12be83a2f223d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/da3f599517ef2ea851208df3229d07728d238dc5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f4112cb477c727a65787a4065a75ca593bb5b2f4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.