CVE-2025-38513
EUVD-2025-2508516.08.2025, 11:15
In the Linux kernel, the following vulnerability has been resolved:
wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()
There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For
example, the following is possible:
T0 T1
zd_mac_tx_to_dev()
/* len == skb_queue_len(q) */
while (len > ZD_MAC_MAX_ACK_WAITERS) {
filter_ack()
spin_lock_irqsave(&q->lock, flags);
/* position == skb_queue_len(q) */
for (i=1; i<position; i++)
skb = __skb_dequeue(q)
if (mac->type == NL80211_IFTYPE_AP)
skb = __skb_dequeue(q);
spin_unlock_irqrestore(&q->lock, flags);
skb_dequeue() -> NULL
Since there is a small gap between checking skb queue length and skb being
unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.
Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.
In order to avoid potential NULL pointer dereference due to situations like
above, check if skb is not NULL before passing it to zd_mac_tx_status().
Found by Linux Verification Center (linuxtesting.org) with SVACE.EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 2.6.25 ≤ 𝑥 < 5.4.296 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.240 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.189 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.146 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.99 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.39 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.15.7 |
| linux | linux_kernel | 6.16:rc1 |
| linux | linux_kernel | 6.16:rc2 |
| linux | linux_kernel | 6.16:rc3 |
| linux | linux_kernel | 6.16:rc4 |
| linux | linux_kernel | 6.16:rc5 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References