CVE-2025-38159

03.07.2025, 09:15

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

Set the size to 6 instead of 2, since 'para' array is passed to
'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads
5 bytes:

void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
{
    ...
    SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
    SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
    ...
    SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));

Detected using the static analysis tool - Svace.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
bookworm (security)	vulnerable
trixie (security)	vulnerable
sid	vulnerable
trixie	vulnerable

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen und andere, nicht spezifizierte Auswirkungen zu verursachen.
Published: 2025-07-02T22:00:00+00:00

References

https://git.kernel.org/stable/c/1ee8ea6937d13b20f90ff35d71ccc03ba448182d

https://git.kernel.org/stable/c/4c2c372de2e108319236203cce6de44d70ae15cd

https://git.kernel.org/stable/c/68a1037f0bac4de9a585aa9c879ef886109f3647

https://git.kernel.org/stable/c/74e18211c2c89ab66c9546baa7408288db61aa0d

https://git.kernel.org/stable/c/9febcc8bded8be0d7efd8237fcef599b6d93b788

https://git.kernel.org/stable/c/c13255389499275bc5489a0b5b7940ccea3aef04