CVE-2025-39750
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
11/09/2025
Last modified:
25/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
wifi: ath12k: Correct tid cleanup when tid setup fails<br />
<br />
Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(),<br />
the tid value is already incremented, even though the corresponding<br />
TID is not actually allocated. Proceed to<br />
ath12k_dp_rx_peer_tid_delete() starting from unallocated tid,<br />
which might leads to freeing unallocated TID and cause potential<br />
crash or out-of-bounds access.<br />
<br />
Hence, fix by correctly decrementing tid before cleanup to match only<br />
the successfully allocated TIDs.<br />
<br />
Also, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(),<br />
as decrementing the tid before cleanup in loop will take care of this.<br />
<br />
Compile tested only.
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.3 (including) | 6.6.103 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.43 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.16 (including) | 6.16.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2ef17d1476ab26bce89764e2f16833d7f52acc38
- https://git.kernel.org/stable/c/30cad87978057516c93467516bc481a3eacfd66a
- https://git.kernel.org/stable/c/4a2bf707270f897ab8077baee8ed5842a5321686
- https://git.kernel.org/stable/c/6301fe4f209165334d251a1c6da8ae47f93cb32c
- https://git.kernel.org/stable/c/907c630e58af9e86e215f3951c7b287bd86d0f15