ghsa-m4rx-9548-xc7v
Vulnerability from github
Published
2025-11-12 12:30
Modified
2025-11-12 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()

In ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because rxcb->peer_id is not updated with a valid value. This is expected in monitor mode, where RX frames bypass the regular RX descriptor path that typically sets rxcb->peer_id. As a result, the peer is NULL, and link_id and link_valid fields in the RX status are not populated. This leads to a WARN_ON in mac80211 when it receives data frame from an associated station with invalid link_id.

Fix this potential issue by using ppduinfo->peer_id, which holds the correct peer id for the received frame. This ensures that the peer is correctly found and the associated link metadata is updated accordingly.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40131"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T11:15:42Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()\n\nIn ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because\nrxcb-\u003epeer_id is not updated with a valid value. This is expected\nin monitor mode, where RX frames bypass the regular RX\ndescriptor path that typically sets rxcb-\u003epeer_id.\nAs a result, the peer is NULL, and link_id and link_valid fields\nin the RX status are not populated. This leads to a WARN_ON in\nmac80211 when it receives data frame from an associated station\nwith invalid link_id.\n\nFix this potential issue by using ppduinfo-\u003epeer_id, which holds\nthe correct peer id for the received frame. This ensures that the\npeer is correctly found and the associated link metadata is updated\naccordingly.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1",
  "id": "GHSA-m4rx-9548-xc7v",
  "modified": "2025-11-12T12:30:27Z",
  "published": "2025-11-12T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40131"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ca61ed8b3f3fc9a7decd68039cb1d7d1238c566"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da64eb2da76ce5626238a951fdf3e81810454427"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.