CVE-2025-23133 (GCVE-0-2025-23133)
Vulnerability from cvelistv5
Published
2025-04-16 14:13
Modified
2025-09-09 17:05
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: update channel list in reg notifier instead reg worker Currently when ath11k gets a new channel list, it will be processed according to the following steps: 1. update new channel list to cfg80211 and queue reg_work. 2. cfg80211 handles new channel list during reg_work. 3. update cfg80211's handled channel list to firmware by ath11k_reg_update_chan_list(). But ath11k will immediately execute step 3 after reg_work is just queued. Since step 2 is asynchronous, cfg80211 may not have completed handling the new channel list, which may leading to an out-of-bounds write error: BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list Call Trace: ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] kfree+0x109/0x3a0 ath11k_regd_update+0x1cf/0x350 [ath11k] ath11k_regd_update_work+0x14/0x20 [ath11k] process_one_work+0xe35/0x14c0 Should ensure step 2 is completely done before executing step 3. Thus Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set, cfg80211 will notify ath11k after step 2 is done. So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will notify ath11k after step 2 is done. At this time, there will be no KASAN bug during the execution of the step 3. [1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/ Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
References
Impacted products
Vendor Product Version
Linux Linux Version: f45cb6b29cd36514e13f7519770873d8c0457008
Version: f45cb6b29cd36514e13f7519770873d8c0457008
Version: f45cb6b29cd36514e13f7519770873d8c0457008
Version: f96fd36936310cefe0ea1370a9ae30e6746e6f62
Version: c97b120950b49d76bdce013bd4d9577d769465f4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/reg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "26618c039b78a76c373d4e02c5fbd52e3a73aead",
              "status": "affected",
              "version": "f45cb6b29cd36514e13f7519770873d8c0457008",
              "versionType": "git"
            },
            {
              "lessThan": "f952fb83c9c6f908d27500764c4aee1df04b9d3f",
              "status": "affected",
              "version": "f45cb6b29cd36514e13f7519770873d8c0457008",
              "versionType": "git"
            },
            {
              "lessThan": "933ab187e679e6fbdeea1835ae39efcc59c022d2",
              "status": "affected",
              "version": "f45cb6b29cd36514e13f7519770873d8c0457008",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f96fd36936310cefe0ea1370a9ae30e6746e6f62",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c97b120950b49d76bdce013bd4d9577d769465f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/reg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.79",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: update channel list in reg notifier instead reg worker\n\nCurrently when ath11k gets a new channel list, it will be processed\naccording to the following steps:\n1. update new channel list to cfg80211 and queue reg_work.\n2. cfg80211 handles new channel list during reg_work.\n3. update cfg80211\u0027s handled channel list to firmware by\nath11k_reg_update_chan_list().\n\nBut ath11k will immediately execute step 3 after reg_work is just\nqueued. Since step 2 is asynchronous, cfg80211 may not have completed\nhandling the new channel list, which may leading to an out-of-bounds\nwrite error:\nBUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list\nCall Trace:\n    ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]\n    kfree+0x109/0x3a0\n    ath11k_regd_update+0x1cf/0x350 [ath11k]\n    ath11k_regd_update_work+0x14/0x20 [ath11k]\n    process_one_work+0xe35/0x14c0\n\nShould ensure step 2 is completely done before executing step 3. Thus\nWen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,\ncfg80211 will notify ath11k after step 2 is done.\n\nSo enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will\nnotify ath11k after step 2 is done. At this time, there will be no\nKASAN bug during the execution of the step 3.\n\n[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:05:55.103Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/26618c039b78a76c373d4e02c5fbd52e3a73aead"
        },
        {
          "url": "https://git.kernel.org/stable/c/f952fb83c9c6f908d27500764c4aee1df04b9d3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/933ab187e679e6fbdeea1835ae39efcc59c022d2"
        }
      ],
      "title": "wifi: ath11k: update channel list in reg notifier instead reg worker",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23133",
    "datePublished": "2025-04-16T14:13:14.485Z",
    "dateReserved": "2025-01-11T14:28:41.511Z",
    "dateUpdated": "2025-09-09T17:05:55.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-23133\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-16T15:16:07.717\",\"lastModified\":\"2025-09-09T17:15:42.627\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath11k: update channel list in reg notifier instead reg worker\\n\\nCurrently when ath11k gets a new channel list, it will be processed\\naccording to the following steps:\\n1. update new channel list to cfg80211 and queue reg_work.\\n2. cfg80211 handles new channel list during reg_work.\\n3. update cfg80211\u0027s handled channel list to firmware by\\nath11k_reg_update_chan_list().\\n\\nBut ath11k will immediately execute step 3 after reg_work is just\\nqueued. Since step 2 is asynchronous, cfg80211 may not have completed\\nhandling the new channel list, which may leading to an out-of-bounds\\nwrite error:\\nBUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list\\nCall Trace:\\n    ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]\\n    kfree+0x109/0x3a0\\n    ath11k_regd_update+0x1cf/0x350 [ath11k]\\n    ath11k_regd_update_work+0x14/0x20 [ath11k]\\n    process_one_work+0xe35/0x14c0\\n\\nShould ensure step 2 is completely done before executing step 3. Thus\\nWen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,\\ncfg80211 will notify ath11k after step 2 is done.\\n\\nSo enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will\\nnotify ath11k after step 2 is done. At this time, there will be no\\nKASAN bug during the execution of the step 3.\\n\\n[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/\\n\\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath11k: actualizar la lista de canales en el notificador de registros en lugar del trabajador de registros. Actualmente, cuando ath11k obtiene una nueva lista de canales, esta se procesa seg\u00fan los siguientes pasos: 1. Actualizar la nueva lista de canales a cfg80211 y poner en cola reg_work. 2. cfg80211 gestiona la nueva lista de canales durante reg_work. 3. Actualizar la lista de canales gestionada de cfg80211 al firmware mediante ath11k_reg_update_chan_list(). Sin embargo, ath11k ejecutar\u00e1 inmediatamente el paso 3 despu\u00e9s de poner en cola reg_work. Como el paso 2 es asincr\u00f3nico, es posible que cfg80211 no haya terminado de manejar la nueva lista de canales, lo que puede generar un error de escritura fuera de los l\u00edmites: BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list Call Trace: ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] kfree+0x109/0x3a0 ath11k_regd_update+0x1cf/0x350 [ath11k] ath11k_regd_update_work+0x14/0x20 [ath11k] process_one_work+0xe35/0x14c0 Se debe asegurar que el paso 2 se haya realizado completamente antes de ejecutar el paso 3. Por lo tanto, Wen plante\u00f3 patch[1]. Cuando se activa el indicador NL80211_REGDOM_SET_BY_DRIVER, cfg80211 notificar\u00e1 a ath11k una vez finalizado el paso 2. Por lo tanto, al activar el indicador NL80211_REGDOM_SET_BY_DRIVER, cfg80211 notificar\u00e1 a ath11k una vez finalizado el paso 2. En este momento, no se producir\u00e1 ning\u00fan error de KASAN durante la ejecuci\u00f3n del paso 3. [1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/ Probado en: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/26618c039b78a76c373d4e02c5fbd52e3a73aead\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/933ab187e679e6fbdeea1835ae39efcc59c022d2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f952fb83c9c6f908d27500764c4aee1df04b9d3f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.