CVE-2025-38606 (GCVE-0-2025-38606)
Vulnerability from cvelistv5
Published
2025-08-19 17:03
Modified
2025-08-19 17:03
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss During beacon miss handling, ath12k driver iterates over active virtual interfaces (vifs) and attempts to access the radio object (ar) via arvif->deflink->ar. However, after commit aa80f12f3bed ("wifi: ath12k: defer vdev creation for MLO"), arvif is linked to a radio only after vdev creation, typically when a channel is assigned or a scan is requested. For P2P capable devices, a default P2P interface is created by wpa_supplicant along with regular station interfaces, these serve as dummy interfaces for P2P-capable stations, lack an associated netdev and initiate frequent scans to discover neighbor p2p devices. When a scan is initiated on such P2P vifs, driver selects destination radio (ar) based on scan frequency, creates a scan vdev, and attaches arvif to the radio. Once the scan completes or is aborted, the scan vdev is deleted, detaching arvif from the radio and leaving arvif->ar uninitialized. While handling beacon miss for station interfaces, P2P interface is also encountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter() tries to dereference the uninitialized arvif->deflink->ar. Fix this by verifying that vdev is created for the arvif before accessing its ar during beacon miss handling and similar vif iterator callbacks. ========================================================================== wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full) RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k] Call Trace: __iterate_interfaces+0x11a/0x410 [mac80211] ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211] ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k] ath12k_roam_event+0x393/0x560 [ath12k] ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k] ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k] ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k] ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k] ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k] ath12k_pci_ce_workqueue+0x69/0x120 [ath12k] process_one_work+0xe3a/0x1430 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1259b6da8303f70fef6ed4aef8ae3dedfecb0f27
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/36670b67de18f1e5d34900c5d2ac60a8970c293c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9b861dfc5c07defd0191fd3e7288a3179cd9a02e
Impacted products
Vendor Product Version
Linux Linux Version: aa80f12f3bedc2d73e4cc43554aee44c277cc938
Version: aa80f12f3bedc2d73e4cc43554aee44c277cc938
Version: aa80f12f3bedc2d73e4cc43554aee44c277cc938
 Create a notification for this product.
   Linux Linux Version: 6.14
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/mac.c",
            "drivers/net/wireless/ath/ath12k/p2p.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9b861dfc5c07defd0191fd3e7288a3179cd9a02e",
              "status": "affected",
              "version": "aa80f12f3bedc2d73e4cc43554aee44c277cc938",
              "versionType": "git"
            },
            {
              "lessThan": "1259b6da8303f70fef6ed4aef8ae3dedfecb0f27",
              "status": "affected",
              "version": "aa80f12f3bedc2d73e4cc43554aee44c277cc938",
              "versionType": "git"
            },
            {
              "lessThan": "36670b67de18f1e5d34900c5d2ac60a8970c293c",
              "status": "affected",
              "version": "aa80f12f3bedc2d73e4cc43554aee44c277cc938",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/mac.c",
            "drivers/net/wireless/ath/ath12k/p2p.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17-rc1",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid accessing uninitialized arvif-\u003ear during beacon miss\n\nDuring beacon miss handling, ath12k driver iterates over active virtual\ninterfaces (vifs) and attempts to access the radio object (ar) via\narvif-\u003edeflink-\u003ear.\n\nHowever, after commit aa80f12f3bed (\"wifi: ath12k: defer vdev creation for\nMLO\"), arvif is linked to a radio only after vdev creation, typically when\na channel is assigned or a scan is requested.\nFor P2P capable devices, a default P2P interface is created by\nwpa_supplicant along with regular station interfaces, these serve as dummy\ninterfaces for P2P-capable stations, lack an associated netdev and initiate\nfrequent scans to discover neighbor p2p devices. When a scan is initiated\non such P2P vifs, driver selects destination radio (ar) based on scan\nfrequency, creates a scan vdev, and attaches arvif to the radio. Once the\nscan completes or is aborted, the scan vdev is deleted, detaching arvif\nfrom the radio and leaving arvif-\u003ear uninitialized.\n\nWhile handling beacon miss for station interfaces, P2P interface is also\nencountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter()\ntries to dereference the uninitialized arvif-\u003edeflink-\u003ear.\n\nFix this by verifying that vdev is created for the arvif before accessing\nits ar during beacon miss handling and similar vif iterator callbacks.\n\n==========================================================================\n wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n\n CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full)\n RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k]\n Call Trace:\n  __iterate_interfaces+0x11a/0x410 [mac80211]\n  ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211]\n  ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k]\n  ath12k_roam_event+0x393/0x560 [ath12k]\n  ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k]\n  ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k]\n  ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k]\n  ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k]\n  ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]\n  ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]\n  process_one_work+0xe3a/0x1430\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-19T17:03:50.189Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9b861dfc5c07defd0191fd3e7288a3179cd9a02e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1259b6da8303f70fef6ed4aef8ae3dedfecb0f27"
        },
        {
          "url": "https://git.kernel.org/stable/c/36670b67de18f1e5d34900c5d2ac60a8970c293c"
        }
      ],
      "title": "wifi: ath12k: Avoid accessing uninitialized arvif-\u003ear during beacon miss",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38606",
    "datePublished": "2025-08-19T17:03:50.189Z",
    "dateReserved": "2025-04-16T04:51:24.028Z",
    "dateUpdated": "2025-08-19T17:03:50.189Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38606\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-19T17:15:38.930\",\"lastModified\":\"2025-08-20T14:40:17.713\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath12k: Avoid accessing uninitialized arvif-\u003ear during beacon miss\\n\\nDuring beacon miss handling, ath12k driver iterates over active virtual\\ninterfaces (vifs) and attempts to access the radio object (ar) via\\narvif-\u003edeflink-\u003ear.\\n\\nHowever, after commit aa80f12f3bed (\\\"wifi: ath12k: defer vdev creation for\\nMLO\\\"), arvif is linked to a radio only after vdev creation, typically when\\na channel is assigned or a scan is requested.\\nFor P2P capable devices, a default P2P interface is created by\\nwpa_supplicant along with regular station interfaces, these serve as dummy\\ninterfaces for P2P-capable stations, lack an associated netdev and initiate\\nfrequent scans to discover neighbor p2p devices. When a scan is initiated\\non such P2P vifs, driver selects destination radio (ar) based on scan\\nfrequency, creates a scan vdev, and attaches arvif to the radio. Once the\\nscan completes or is aborted, the scan vdev is deleted, detaching arvif\\nfrom the radio and leaving arvif-\u003ear uninitialized.\\n\\nWhile handling beacon miss for station interfaces, P2P interface is also\\nencountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter()\\ntries to dereference the uninitialized arvif-\u003edeflink-\u003ear.\\n\\nFix this by verifying that vdev is created for the arvif before accessing\\nits ar during beacon miss handling and similar vif iterator callbacks.\\n\\n==========================================================================\\n wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing\\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\\n\\n CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full)\\n RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k]\\n Call Trace:\\n  __iterate_interfaces+0x11a/0x410 [mac80211]\\n  ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211]\\n  ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k]\\n  ath12k_roam_event+0x393/0x560 [ath12k]\\n  ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k]\\n  ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k]\\n  ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k]\\n  ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k]\\n  ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]\\n  ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]\\n  process_one_work+0xe3a/0x1430\\n\\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1\\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath12k: Evitar el acceso arvif-\u0026gt;ar no inicializado durante un fallo de baliza. Durante la gesti\u00f3n de fallos de baliza, el controlador ath12k itera sobre interfaces virtuales activas (VIF) e intenta acceder al objeto de radio (AR) mediante arvif-\u0026gt;deflink-\u0026gt;ar. Sin embargo, tras el commit aa80f12f3bed (\\\"wifi: ath12k: aplazar la creaci\u00f3n de VDEV para MLO\\\"), arvif se vincula a una radio solo despu\u00e9s de la creaci\u00f3n de VDEV, normalmente cuando se asigna un canal o se solicita un escaneo. Para dispositivos con capacidad P2P, wpa_supplicant crea una interfaz P2P predeterminada junto con las interfaces de estaci\u00f3n normales. Estas sirven como interfaces ficticias para estaciones con capacidad P2P, carecen de un netdev asociado e inician escaneos frecuentes para descubrir dispositivos P2P vecinos. Al iniciar un escaneo en estos vifs P2P, el controlador selecciona la radio de destino (ar) seg\u00fan su frecuencia, crea un vdev de escaneo y asocia el arvif a la radio. Una vez que el escaneo se completa o se aborta, el vdev de escaneo se elimina, desconectando el arvif de la radio y dejando el archivo arvif-\u0026gt;ar sin inicializar. Al gestionar fallos de baliza para las interfaces de estaci\u00f3n, tambi\u00e9n se encuentra la interfaz P2P en la iteraci\u00f3n del vif y ath12k_mac_handle_beacon_miss_iter() intenta desreferenciar el archivo arvif-\u0026gt;deflink-\u0026gt;ar sin inicializar. Para solucionar esto, verifique que el vdev se haya creado para el arvif antes de acceder a su ar durante la gesti\u00f3n de fallos de baliza y devoluciones de llamada similares del iterador vif. ============================================================================ wlp6s0: se detect\u00f3 p\u00e9rdida de baliza del AP (7 balizas perdidas) - sondeando KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full) RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k] Call Trace: __iterate_interfaces+0x11a/0x410 [mac80211] ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211] ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k] ath12k_roam_event+0x393/0x560 [ath12k] ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k] ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k] ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k] ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k] ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k] ath12k_pci_ce_workqueue+0x69/0x120 [ath12k] process_one_work+0xe3a/0x1430 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 \"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1259b6da8303f70fef6ed4aef8ae3dedfecb0f27\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/36670b67de18f1e5d34900c5d2ac60a8970c293c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9b861dfc5c07defd0191fd3e7288a3179cd9a02e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.