CVE-2025-38513

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38513
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38513.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38513
Downstream
Related
Published
2025-08-16T10:55:00.254Z
Modified
2025-11-27T19:35:35.119531Z
Summary
wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: zd1211rw: Fix potential NULL pointer dereference in zdmactxtodev()

There is a potential NULL pointer dereference in zdmactxtodev(). For example, the following is possible:

    T0                      T1

zdmactxtodev() /* len == skbqueuelen(q) */ while (len > ZDMACMAXACKWAITERS) {

                  filter_ack()
                    spin_lock_irqsave(&q->lock, flags);
                    /* position == skb_queue_len(q) */
                    for (i=1; i<position; i++)
                          skb = __skb_dequeue(q)

                    if (mac->type == NL80211_IFTYPE_AP)
                      skb = __skb_dequeue(q);
                    spin_unlock_irqrestore(&q->lock, flags);

skb_dequeue() -> NULL

Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zdmactxtodev(), skbdequeue() can return NULL. Then the pointer is passed to zdmactxstatus() where it is dereferenced.

In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zdmactx_status().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/ee626f5d79d5817bb21d6f048dc0da4c4e383443/cves/2025/38xxx/CVE-2025-38513.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
459c51ad6e1fc19e91a53798358433d3c08cd09d
Fixed
c1958270de947604cc6de05fc96dbba256b49cf0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
459c51ad6e1fc19e91a53798358433d3c08cd09d
Fixed
014c34dc132015c4f918ada4982e952947ac1047
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
459c51ad6e1fc19e91a53798358433d3c08cd09d
Fixed
b24f65c184540dfb967479320ecf7e8c2e9220dc
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
459c51ad6e1fc19e91a53798358433d3c08cd09d
Fixed
adf08c96b963c7cd7ec1ee1c0c556228d9bedaae
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
459c51ad6e1fc19e91a53798358433d3c08cd09d
Fixed
5420de65efbeb6503bcf1d43451c9df67ad60298
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
459c51ad6e1fc19e91a53798358433d3c08cd09d
Fixed
fcd9c923b58e86501450b9b442ccc7ce4a8d0fda
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
459c51ad6e1fc19e91a53798358433d3c08cd09d
Fixed
602b4eb2f25668de15de69860ec99caf65b3684d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
459c51ad6e1fc19e91a53798358433d3c08cd09d
Fixed
74b1ec9f5d627d2bdd5e5b6f3f81c23317657023

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.25
Fixed
5.4.296
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.240
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.189
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.146
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.99
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.39
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.7