CVE-2025-38606

{"id": "CVE-2025-38606", "cveTags": [], "metrics": {}, "published": "2025-08-19T17:15:38.930", "references": [{"url": "https://git.kernel.org/stable/c/1259b6da8303f70fef6ed4aef8ae3dedfecb0f27", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/36670b67de18f1e5d34900c5d2ac60a8970c293c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9b861dfc5c07defd0191fd3e7288a3179cd9a02e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss\n\nDuring beacon miss handling, ath12k driver iterates over active virtual\ninterfaces (vifs) and attempts to access the radio object (ar) via\narvif->deflink->ar.\n\nHowever, after commit aa80f12f3bed (\"wifi: ath12k: defer vdev creation for\nMLO\"), arvif is linked to a radio only after vdev creation, typically when\na channel is assigned or a scan is requested.\nFor P2P capable devices, a default P2P interface is created by\nwpa_supplicant along with regular station interfaces, these serve as dummy\ninterfaces for P2P-capable stations, lack an associated netdev and initiate\nfrequent scans to discover neighbor p2p devices. When a scan is initiated\non such P2P vifs, driver selects destination radio (ar) based on scan\nfrequency, creates a scan vdev, and attaches arvif to the radio. Once the\nscan completes or is aborted, the scan vdev is deleted, detaching arvif\nfrom the radio and leaving arvif->ar uninitialized.\n\nWhile handling beacon miss for station interfaces, P2P interface is also\nencountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter()\ntries to dereference the uninitialized arvif->deflink->ar.\n\nFix this by verifying that vdev is created for the arvif before accessing\nits ar during beacon miss handling and similar vif iterator callbacks.\n\n==========================================================================\n wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n\n CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full)\n RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k]\n Call Trace:\n __iterate_interfaces+0x11a/0x410 [mac80211]\n ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211]\n ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k]\n ath12k_roam_event+0x393/0x560 [ath12k]\n ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k]\n ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k]\n ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k]\n ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k]\n ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k]\n ath12k_pci_ce_workqueue+0x69/0x120 [ath12k]\n process_one_work+0xe3a/0x1430\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath12k: Evitar el acceso arvif->ar no inicializado durante un fallo de baliza. Durante la gesti\u00f3n de fallos de baliza, el controlador ath12k itera sobre interfaces virtuales activas (VIF) e intenta acceder al objeto de radio (AR) mediante arvif->deflink->ar. Sin embargo, tras el commit aa80f12f3bed (\"wifi: ath12k: aplazar la creaci\u00f3n de VDEV para MLO\"), arvif se vincula a una radio solo despu\u00e9s de la creaci\u00f3n de VDEV, normalmente cuando se asigna un canal o se solicita un escaneo. Para dispositivos con capacidad P2P, wpa_supplicant crea una interfaz P2P predeterminada junto con las interfaces de estaci\u00f3n normales. Estas sirven como interfaces ficticias para estaciones con capacidad P2P, carecen de un netdev asociado e inician escaneos frecuentes para descubrir dispositivos P2P vecinos. Al iniciar un escaneo en estos vifs P2P, el controlador selecciona la radio de destino (ar) seg\u00fan su frecuencia, crea un vdev de escaneo y asocia el arvif a la radio. Una vez que el escaneo se completa o se aborta, el vdev de escaneo se elimina, desconectando el arvif de la radio y dejando el archivo arvif->ar sin inicializar. Al gestionar fallos de baliza para las interfaces de estaci\u00f3n, tambi\u00e9n se encuentra la interfaz P2P en la iteraci\u00f3n del vif y ath12k_mac_handle_beacon_miss_iter() intenta desreferenciar el archivo arvif->deflink->ar sin inicializar. Para solucionar esto, verifique que el vdev se haya creado para el arvif antes de acceder a su ar durante la gesti\u00f3n de fallos de baliza y devoluciones de llamada similares del iterador vif. ============================================================================ wlp6s0: se detect\u00f3 p\u00e9rdida de baliza del AP (7 balizas perdidas) - sondeando KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full) RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k] Call Trace: __iterate_interfaces+0x11a/0x410 [mac80211] ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211] ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k] ath12k_roam_event+0x393/0x560 [ath12k] ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k] ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k] ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k] ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k] ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k] ath12k_pci_ce_workqueue+0x69/0x120 [ath12k] process_one_work+0xe3a/0x1430 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 "}], "lastModified": "2025-08-20T14:40:17.713", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}