CVE-2025-37795

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-37795
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

10 May 2025, 14:15

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mac80211: Actualizar la clave del bloque de control de skb en ieee80211_tx_dequeue() La clave del bloque de control de skb ieee80211 (establecida cuando skb se puso en cola) podría haberse eliminado antes de la llamada a ieee80211_tx_dequeue(). ieee80211_tx_dequeue() ya llamó a ieee80211_tx_h_select_key() para obtener la clave actual, pero este último no actualiza la clave en el bloque de control de skb en caso de que sea NULL. Debido a que algunos controladores realmente usan esta clave en sus devoluciones de llamada TX (por ejemplo, ath1{1,2}k_mac_op_tx()), esto podría llevar a use after free a continuación: ERROR: KASAN: slab-use-after-free en ath11k_mac_op_tx+0x590/0x61c Lectura de tamaño 4 en la dirección ffffff803083c248 por la tarea kworker/u16:4/1440 CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 No contaminado 6.13.0-ge128f627f404 #2 Nombre del hardware: HW (DT) Cola de trabajo: bat_events batadv_send_outstanding_bcast_packet Rastreo de llamadas: show_stack+0x14/0x1c (C) dump_stack_lvl+0x58/0x74 print_report+0x164/0x4c0 kasan_report+0xac/0xe8 __asan_report_load4_noabort+0x1c/0x24 ath11k_mac_op_tx+0x590/0x61c ieee80211_handle_wake_tx_queue+0x12c/0x1c8 ieee80211_queue_skb+0xdcc/0x1b4c ieee80211_tx+0x1ec/0x2bc ieee80211_xmit+0x224/0x324 __ieee80211_subif_start_xmit+0x85c/0xcf8 ieee80211_subif_start_xmit+0xc0/0xec4 dev_hard_start_xmit+0xf4/0x28c __dev_queue_xmit+0x6ac/0x318c batadv_send_skb_packet+0x38c/0x4b0 batadv_send_outstanding_bcast_packet+0x110/0x328 process_one_work+0x578/0xc10 worker_thread+0x4bc/0xc7c kthread+0x2f8/0x380 ret_from_fork+0x10/0x20 Allocated by task 1906: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_alloc_info+0x3c/0x4c __kasan_kmalloc+0xac/0xb0 __kmalloc_noprof+0x1b4/0x380 ieee80211_key_alloc+0x3c/0xb64 ieee80211_add_key+0x1b4/0x71c nl80211_new_key+0x2b4/0x5d8 genl_family_rcv_msg_doit+0x198/0x240 <...> Freed by task 1494: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_free_info+0x48/0x94 __kasan_slab_free+0x48/0x60 kfree+0xc8/0x31c kfree_sensitive+0x70/0x80 ieee80211_key_free_common+0x10c/0x174 ieee80211_free_keys+0x188/0x46c ieee80211_stop_mesh+0x70/0x2cc ieee80211_leave_mesh+0x1c/0x60 cfg80211_leave_mesh+0xe0/0x280 cfg80211_leave+0x1e0/0x244 <...> Restablezca la clave del bloque de control SKB antes de llamar a ieee80211_tx_h_select_key() para evitar eso.
Summary (en) In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() The ieee80211 skb control block key (set when skb was queued) could have been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue() already called ieee80211_tx_h_select_key() to get the current key, but the latter do not update the key in skb control block in case it is NULL. Because some drivers actually use this key in their TX callbacks (e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free below: BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440 CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2 Hardware name: HW (DT) Workqueue: bat_events batadv_send_outstanding_bcast_packet Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x58/0x74 print_report+0x164/0x4c0 kasan_report+0xac/0xe8 __asan_report_load4_noabort+0x1c/0x24 ath11k_mac_op_tx+0x590/0x61c ieee80211_handle_wake_tx_queue+0x12c/0x1c8 ieee80211_queue_skb+0xdcc/0x1b4c ieee80211_tx+0x1ec/0x2bc ieee80211_xmit+0x224/0x324 __ieee80211_subif_start_xmit+0x85c/0xcf8 ieee80211_subif_start_xmit+0xc0/0xec4 dev_hard_start_xmit+0xf4/0x28c __dev_queue_xmit+0x6ac/0x318c batadv_send_skb_packet+0x38c/0x4b0 batadv_send_outstanding_bcast_packet+0x110/0x328 process_one_work+0x578/0xc10 worker_thread+0x4bc/0xc7c kthread+0x2f8/0x380 ret_from_fork+0x10/0x20 Allocated by task 1906: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_alloc_info+0x3c/0x4c __kasan_kmalloc+0xac/0xb0 __kmalloc_noprof+0x1b4/0x380 ieee80211_key_alloc+0x3c/0xb64 ieee80211_add_key+0x1b4/0x71c nl80211_new_key+0x2b4/0x5d8 genl_family_rcv_msg_doit+0x198/0x240 <...> Freed by task 1494: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_free_info+0x48/0x94 __kasan_slab_free+0x48/0x60 kfree+0xc8/0x31c kfree_sensitive+0x70/0x80 ieee80211_key_free_common+0x10c/0x174 ieee80211_free_keys+0x188/0x46c ieee80211_stop_mesh+0x70/0x2cc ieee80211_leave_mesh+0x1c/0x60 cfg80211_leave_mesh+0xe0/0x280 cfg80211_leave+0x1e0/0x244 <...> Reset SKB control block key before calling ieee80211_tx_h_select_key() to avoid that. (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
References
  • {'url': 'https://git.kernel.org/stable/c/0cbd747f343c28d911443dd4174820600cc0d952', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/159499c1341f66a71d985e9b79f2131e88d1c646', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/47fe322fb4e000f3bb89c2b370a15f3dfdfb9109', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/7fa75affe2a97abface2b0d9b95e15728967dda7', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/9d00c0a807a3bb7d8fadcd6c26f95f207ab0ce15', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/a104042e2bf6528199adb6ca901efe7b60c2c27f', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/a167a2833d3f862e800cc23067b21ff1df3a1085', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/bb5c4347d50410e3b262c1dd4081e36aa06826f8', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}

02 May 2025, 13:53

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mac80211: Actualizar la clave del bloque de control de skb en ieee80211_tx_dequeue() La clave del bloque de control de skb ieee80211 (establecida cuando skb se puso en cola) podría haberse eliminado antes de la llamada a ieee80211_tx_dequeue(). ieee80211_tx_dequeue() ya llamó a ieee80211_tx_h_select_key() para obtener la clave actual, pero este último no actualiza la clave en el bloque de control de skb en caso de que sea NULL. Debido a que algunos controladores realmente usan esta clave en sus devoluciones de llamada TX (por ejemplo, ath1{1,2}k_mac_op_tx()), esto podría llevar a use after free a continuación: ERROR: KASAN: slab-use-after-free en ath11k_mac_op_tx+0x590/0x61c Lectura de tamaño 4 en la dirección ffffff803083c248 por la tarea kworker/u16:4/1440 CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 No contaminado 6.13.0-ge128f627f404 #2 Nombre del hardware: HW (DT) Cola de trabajo: bat_events batadv_send_outstanding_bcast_packet Rastreo de llamadas: show_stack+0x14/0x1c (C) dump_stack_lvl+0x58/0x74 print_report+0x164/0x4c0 kasan_report+0xac/0xe8 __asan_report_load4_noabort+0x1c/0x24 ath11k_mac_op_tx+0x590/0x61c ieee80211_handle_wake_tx_queue+0x12c/0x1c8 ieee80211_queue_skb+0xdcc/0x1b4c ieee80211_tx+0x1ec/0x2bc ieee80211_xmit+0x224/0x324 __ieee80211_subif_start_xmit+0x85c/0xcf8 ieee80211_subif_start_xmit+0xc0/0xec4 dev_hard_start_xmit+0xf4/0x28c __dev_queue_xmit+0x6ac/0x318c batadv_send_skb_packet+0x38c/0x4b0 batadv_send_outstanding_bcast_packet+0x110/0x328 process_one_work+0x578/0xc10 worker_thread+0x4bc/0xc7c kthread+0x2f8/0x380 ret_from_fork+0x10/0x20 Allocated by task 1906: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_alloc_info+0x3c/0x4c __kasan_kmalloc+0xac/0xb0 __kmalloc_noprof+0x1b4/0x380 ieee80211_key_alloc+0x3c/0xb64 ieee80211_add_key+0x1b4/0x71c nl80211_new_key+0x2b4/0x5d8 genl_family_rcv_msg_doit+0x198/0x240 &lt;...&gt; Freed by task 1494: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_free_info+0x48/0x94 __kasan_slab_free+0x48/0x60 kfree+0xc8/0x31c kfree_sensitive+0x70/0x80 ieee80211_key_free_common+0x10c/0x174 ieee80211_free_keys+0x188/0x46c ieee80211_stop_mesh+0x70/0x2cc ieee80211_leave_mesh+0x1c/0x60 cfg80211_leave_mesh+0xe0/0x280 cfg80211_leave+0x1e0/0x244 &lt;...&gt; Restablezca la clave del bloque de control SKB antes de llamar a ieee80211_tx_h_select_key() para evitar eso.

02 May 2025, 07:16

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/47fe322fb4e000f3bb89c2b370a15f3dfdfb9109 -
  • () https://git.kernel.org/stable/c/9d00c0a807a3bb7d8fadcd6c26f95f207ab0ce15 -
  • () https://git.kernel.org/stable/c/bb5c4347d50410e3b262c1dd4081e36aa06826f8 -

01 May 2025, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-01 14:15

Updated : 2025-05-10 14:15

NVD link : CVE-2025-37795

Mitre link : CVE-2025-37795

CVE.ORG link : CVE-2025-37795

JSON object : View

Products Affected

No product.

CWE

No CWE.