CVE-2025-38513
published 2025-08-16CVE-2025-38513: In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a…
medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()
There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For
example, the following is possible:
T0 T1
zd_mac_tx_to_dev()
/* len == skb_queue_len(q) */
while (len > ZD_MAC_MAX_ACK_WAITERS) {
filter_ack()
spin_lock_irqsave(&q->lock, flags);
/* position == skb_queue_len(q) */
for (i=1; itype == NL80211_IFTYPE_AP)
skb = __skb_dequeue(q);
spin_unlock_irqrestore(&q->lock, flags);
skb_dequeue() -> NULL
Since there is a small gap between checking skb queue length and skb being
unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.
Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.
In order to avoid potential NULL pointer dereference due to situations like
above, check if skb is not NULL before passing it to zd_mac_tx_status().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 459c51ad6e1fc19e91a53798358433d3c08cd09d < c1958270de947604cc6de05fc96dbba256b49cf0 | c1958270de947604cc6de05fc96dbba256b49cf0 |
| linux | linux | >= 459c51ad6e1fc19e91a53798358433d3c08cd09d < 014c34dc132015c4f918ada4982e952947ac1047 | 014c34dc132015c4f918ada4982e952947ac1047 |
| linux | linux | >= 459c51ad6e1fc19e91a53798358433d3c08cd09d < b24f65c184540dfb967479320ecf7e8c2e9220dc | b24f65c184540dfb967479320ecf7e8c2e9220dc |
| linux | linux | >= 459c51ad6e1fc19e91a53798358433d3c08cd09d < adf08c96b963c7cd7ec1ee1c0c556228d9bedaae | adf08c96b963c7cd7ec1ee1c0c556228d9bedaae |
| linux | linux | >= 459c51ad6e1fc19e91a53798358433d3c08cd09d < 5420de65efbeb6503bcf1d43451c9df67ad60298 | 5420de65efbeb6503bcf1d43451c9df67ad60298 |
| linux | linux | >= 459c51ad6e1fc19e91a53798358433d3c08cd09d < fcd9c923b58e86501450b9b442ccc7ce4a8d0fda | fcd9c923b58e86501450b9b442ccc7ce4a8d0fda |
| linux | linux | >= 459c51ad6e1fc19e91a53798358433d3c08cd09d < 602b4eb2f25668de15de69860ec99caf65b3684d | 602b4eb2f25668de15de69860ec99caf65b3684d |
| linux | linux | >= 459c51ad6e1fc19e91a53798358433d3c08cd09d < 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023 | 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.41-1 | 6.12.41-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-156.166 | 5.15.0-156.166 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 2.6.25 < 5.4.296 | 5.4.296 |
| linux | linux_kernel | >= 5.11 < 5.15.189 | 5.15.189 |
| linux | linux_kernel | >= 5.16 < 6.1.146 | 6.1.146 |
| linux | linux_kernel | >= 5.5 < 5.10.240 | 5.10.240 |
| linux | linux_kernel | >= 6.13 < 6.15.7 | 6.15.7 |
| linux | linux_kernel | >= 6.2 < 6.6.99 | 6.6.99 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM