CVE-2025-38290

{"id": "CVE-2025-38290", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-07-10T08:15:27.583", "references": [{"url": "https://git.kernel.org/stable/c/6285516170f9e2f04b9dbf1e5100e0d7cbac22b4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6bfe7ae9bbd9734751b853e2d2e1c13e8b46fd2d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/823435bd23108d6f8be89ea2d025c0e2e3769c51", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/be049199dec9189602bc06e2c70eda3aa0f2ea6e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-672"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix node corruption in ar->arvifs list\n\nIn current WLAN recovery code flow, ath12k_core_halt() only reinitializes\nthe \"arvifs\" list head. This will cause the list node immediately following\nthe list head to become an invalid list node. Because the prev of that node\nstill points to the list head \"arvifs\", but the next of the list head\n\"arvifs\" no longer points to that list node.\n\nWhen a WLAN recovery occurs during the execution of a vif removal, and it\nhappens before the spin_lock_bh(&ar->data_lock) in\nath12k_mac_vdev_delete(), list_del() will detect the previously mentioned\nsituation, thereby triggering a kernel panic.\n\nThe fix is to remove and reinitialize all vif list nodes from the list head\n\"arvifs\" during WLAN halt. The reinitialization is to make the list nodes\nvalid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute\nnormally.\n\nCall trace:\n__list_del_entry_valid_or_report+0xd4/0x100 (P)\nath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k]\nath12k_scan_vdev_clean_work+0x40/0x164 [ath12k]\ncfg80211_wiphy_work+0xfc/0x100\nprocess_one_work+0x164/0x2d0\nworker_thread+0x254/0x380\nkthread+0xfc/0x100\nret_from_fork+0x10/0x20\n\nThe change is mostly copied from the ath11k patch:\nhttps://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath12k: correcci\u00f3n de corrupci\u00f3n de nodos en la lista ar->arvifs. En el flujo de c\u00f3digo de recuperaci\u00f3n de WLAN actual, ath12k_core_halt() solo reinicializa la cabecera de lista \"arvifs\". Esto provocar\u00e1 que el nodo de lista inmediatamente posterior a la cabecera de lista se convierta en un nodo de lista inv\u00e1lido. Esto se debe a que el nodo anterior de ese nodo a\u00fan apunta a la cabecera de lista \"arvifs\", pero el siguiente ya no apunta a ese nodo. Cuando se produce una recuperaci\u00f3n de WLAN durante la ejecuci\u00f3n de una eliminaci\u00f3n de vif, y esto ocurre antes de spin_lock_bh(&ar->data_lock) en ath12k_mac_vdev_delete(), list_del() detectar\u00e1 la situaci\u00f3n mencionada anteriormente, lo que activar\u00e1 un p\u00e1nico del kernel. La soluci\u00f3n consiste en eliminar y reinicializar todos los nodos de lista vif de la cabecera de lista \"arvifs\" durante la detenci\u00f3n de WLAN. La reinicializaci\u00f3n valida los nodos de la lista, garantizando as\u00ed que list_del() en ath12k_mac_vdev_delete() pueda ejecutarse correctamente. Rastreo de llamadas: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 "}], "lastModified": "2025-11-19T20:39:48.103", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F32A46D-A3D6-46B7-841B-D6FED06301AA", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4FFA54AA-CDFE-4591-BD07-72813D0948F4", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0541C761-BD5E-4C1A-8432-83B375D7EB92", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.13"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}