CVE-2025-21744
- Source
- https://cve.org/CVERecord?id=CVE-2025-21744
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21744.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-21744
- Downstream
- Related
- Published
- 2025-02-27T02:12:17.259Z
- Modified
- 2026-03-20T12:41:09.062025Z
- Summary
- wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs.
The following sequence deletes the interface:
brcmfdetach() brcmfremoveinterface() brcmfdel_if()
Inside the brcmfdelif() function the drvr->if2bss[ifidx] is updated to BRCMFBSSIDXINVALID (-1) if the bsscfgidx matches.
After brcmfremoveinterface() call the brcmfprotodetach() function is called providing the following sequence:
brcmfdetach() brcmfprotodetach() brcmfprotomsgbufdetach() brcmfflowringdetach() brcmfmsgbufdeleteflowring() brcmfmsgbufremoveflowring() brcmfflowringdelete() brcmfgetifp() brcmf_txfinalize()
Since brcmfgetip() can and actually will return NULL in this case the call to brcmftxfinalize() will result in a NULL pointer dereference inside brcmftxfinalize() when trying to update ifp->ndev->stats.tx_errors.
This will only happen if a flowring still has an skb.
Although the NULL pointer dereference has only been seen when trying to update the tx statistic, all other uses of the ifp pointer have been guarded as well with an early return if ifp is NULL.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21744.json" }- References
-
- https://git.kernel.org/stable/c/2326e19190e176fd72bb542b837a9d2b7fcb8693
- https://git.kernel.org/stable/c/3877fc67bd3d5566cc12763bce39710ceb74a97d
- https://git.kernel.org/stable/c/4e51d6d093e763348916e69d06d87e0a5593661b
- https://git.kernel.org/stable/c/59ff4fa653ff6db07c61152516ffba79c2a74bda
- https://git.kernel.org/stable/c/61541d9b5a23df33934fcc620a3a81f246b1b240
- https://git.kernel.org/stable/c/68abd0c4ebf24cd499841a488b97a6873d5efabb
- https://git.kernel.org/stable/c/a2beefc4fa49ebc22e664dc6b39dbd054f8488f9
- https://git.kernel.org/stable/c/fbbfef2a5b858eab55741a58b2ac9a0cc8d53c58
- https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21744.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-21744
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7f00ee2bbc630900ba16fc2690473f3e2db0e264Fixed2326e19190e176fd72bb542b837a9d2b7fcb8693Fixed59ff4fa653ff6db07c61152516ffba79c2a74bdaFixed61541d9b5a23df33934fcc620a3a81f246b1b240Fixed4e51d6d093e763348916e69d06d87e0a5593661bFixed3877fc67bd3d5566cc12763bce39710ceb74a97dFixedfbbfef2a5b858eab55741a58b2ac9a0cc8d53c58Fixeda2beefc4fa49ebc22e664dc6b39dbd054f8488f9Fixed68abd0c4ebf24cd499841a488b97a6873d5efabb
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected6faa698c35a43b9e74ea24e90fe37471d08d00d0Last affected9119232cc92a269d7860b4aa51f07d3923a3cc10