Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38646

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
22/08/2025
Last modified:
26/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band<br /> <br /> With a quite rare chance, RX report might be problematic to make SW think<br /> a packet is received on 6 GHz band even if the chip does not support 6 GHz<br /> band actually. Since SW won&amp;#39;t initialize stuffs for unsupported bands, NULL<br /> dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() -&gt;<br /> rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it.<br /> <br /> The following is a crash log for this case.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000032<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4)<br /> Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024<br /> RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core]<br /> Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11<br /> 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 33 45<br /> 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85<br /> RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246<br /> RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011<br /> RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6<br /> RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000<br /> R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4<br /> R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body+0x68/0xb0<br /> ? page_fault_oops+0x379/0x3e0<br /> ? exc_page_fault+0x4f/0xa0<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]<br /> ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)]<br /> __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)]<br /> ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]<br /> ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)]<br /> ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)]<br /> rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)]<br /> rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)]

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.4 (including) 6.6.102 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.42 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.10 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.16 (including) 6.16.1 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools