Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38291

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/07/2025
Last modified:
19/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash<br /> <br /> Currently, we encounter the following kernel call trace when a firmware<br /> crash occurs. This happens because the host sends WMI commands to the<br /> firmware while it is in recovery, causing the commands to fail and<br /> resulting in the kernel call trace.<br /> <br /> Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the<br /> host driver receives the firmware crash notification from MHI. This<br /> prevents sending WMI commands to the firmware during recovery.<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl+0x75/0xc0<br /> register_lock_class+0x6be/0x7a0<br /> ? __lock_acquire+0x644/0x19a0<br /> __lock_acquire+0x95/0x19a0<br /> lock_acquire+0x265/0x310<br /> ? ath12k_ce_send+0xa2/0x210 [ath12k]<br /> ? find_held_lock+0x34/0xa0<br /> ? ath12k_ce_send+0x56/0x210 [ath12k]<br /> _raw_spin_lock_bh+0x33/0x70<br /> ? ath12k_ce_send+0xa2/0x210 [ath12k]<br /> ath12k_ce_send+0xa2/0x210 [ath12k]<br /> ath12k_htc_send+0x178/0x390 [ath12k]<br /> ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k]<br /> ath12k_wmi_cmd_send+0x62/0x190 [ath12k]<br /> ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1<br /> ath12k_mac_op_get_survey+0x2be/0x310 [ath12k]<br /> ieee80211_dump_survey+0x99/0x240 [mac80211]<br /> nl80211_dump_survey+0xe7/0x470 [cfg80211]<br /> ? kmalloc_reserve+0x59/0xf0<br /> genl_dumpit+0x24/0x70<br /> netlink_dump+0x177/0x360<br /> __netlink_dump_start+0x206/0x280<br /> genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0<br /> ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0<br /> ? genl_op_lock.part.12+0x10/0x10<br /> ? genl_dumpit+0x70/0x70<br /> genl_rcv_msg+0x1d0/0x290<br /> ? nl80211_del_station+0x330/0x330 [cfg80211]<br /> ? genl_get_cmd_both+0x50/0x50<br /> netlink_rcv_skb+0x4f/0x100<br /> genl_rcv+0x1f/0x30<br /> netlink_unicast+0x1b6/0x260<br /> netlink_sendmsg+0x31a/0x450<br /> __sock_sendmsg+0xa8/0xb0<br /> ____sys_sendmsg+0x1e4/0x260<br /> ___sys_sendmsg+0x89/0xe0<br /> ? local_clock_noinstr+0xb/0xc0<br /> ? rcu_is_watching+0xd/0x40<br /> ? kfree+0x1de/0x370<br /> ? __sys_sendmsg+0x7a/0xc0<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools