CVE-2025-38292
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38292
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38292.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38292
- Downstream
- Related
- Published
- 2025-07-10T07:42:07Z
- Modified
- 2025-10-18T02:09:09.661150Z
- Summary
- wifi: ath12k: fix invalid access to memory
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix invalid access to memory
In ath12kdprxmsducoalesce(), rxcb is fetched from skb and boolean iscontinuation is part of rxcb. Currently, after freeing the skb, the rxcb->iscontinuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error.
Hence, fix by locally defining bool iscontinuation from rxcb, so that after freeing skb, iscontinuation can be used.
Compile tested only.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd889913205cf7ebda905b1e62c5867ed4e39f6c2Fixed371b340affa52f280f6eadfd25fbd43f09f0d5c0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd889913205cf7ebda905b1e62c5867ed4e39f6c2Fixed5f09d16cd57764c95c8548fe5b70672c9ac01127
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd889913205cf7ebda905b1e62c5867ed4e39f6c2Fixed9f17747fbda6fca934854463873c4abf8061491d
Affected versions
v6.*
v6.1
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-38292-48bfc5bb",
"digest": {
"length": 1471.0,
"function_hash": "59590064340938818090000774811446962530"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9f17747fbda6fca934854463873c4abf8061491d",
"target": {
"function": "ath12k_dp_rx_msdu_coalesce",
"file": "drivers/net/wireless/ath/ath12k/dp_rx.c"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-38292-5a8dfd64",
"digest": {
"line_hashes": [
"333558664131610403175053240212043943947",
"23163625407901604220483244914820038827",
"301759173122257290712891996266707163028",
"234367971767814676969932184571380972135",
"16148081456694926184252509776662329346",
"25291703724099058175075681645302929777",
"175209899314940453620129593400363468558",
"157948468688506695788386311926953498",
"62139870447953793452542576312781160657",
"141877891450593377735621897306415359500",
"97188426099269977709982297024658415753",
"63481391882394874477800422442576019053"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9f17747fbda6fca934854463873c4abf8061491d",
"target": {
"file": "drivers/net/wireless/ath/ath12k/dp_rx.c"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-38292-722d794e",
"digest": {
"line_hashes": [
"333558664131610403175053240212043943947",
"23163625407901604220483244914820038827",
"301759173122257290712891996266707163028",
"234367971767814676969932184571380972135",
"16148081456694926184252509776662329346",
"25291703724099058175075681645302929777",
"175209899314940453620129593400363468558",
"157948468688506695788386311926953498",
"62139870447953793452542576312781160657",
"141877891450593377735621897306415359500",
"97188426099269977709982297024658415753",
"63481391882394874477800422442576019053"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5f09d16cd57764c95c8548fe5b70672c9ac01127",
"target": {
"file": "drivers/net/wireless/ath/ath12k/dp_rx.c"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-38292-bbc97215",
"digest": {
"length": 1471.0,
"function_hash": "59590064340938818090000774811446962530"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5f09d16cd57764c95c8548fe5b70672c9ac01127",
"target": {
"function": "ath12k_dp_rx_msdu_coalesce",
"file": "drivers/net/wireless/ath/ath12k/dp_rx.c"
}
},
{
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-38292-d8395f47",
"digest": {
"length": 1471.0,
"function_hash": "59590064340938818090000774811446962530"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@371b340affa52f280f6eadfd25fbd43f09f0d5c0",
"target": {
"function": "ath12k_dp_rx_msdu_coalesce",
"file": "drivers/net/wireless/ath/ath12k/dp_rx.c"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2025-38292-ea3a10d9",
"digest": {
"line_hashes": [
"333558664131610403175053240212043943947",
"23163625407901604220483244914820038827",
"301759173122257290712891996266707163028",
"234367971767814676969932184571380972135",
"16148081456694926184252509776662329346",
"25291703724099058175075681645302929777",
"175209899314940453620129593400363468558",
"157948468688506695788386311926953498",
"62139870447953793452542576312781160657",
"141877891450593377735621897306415359500",
"97188426099269977709982297024658415753",
"63481391882394874477800422442576019053"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@371b340affa52f280f6eadfd25fbd43f09f0d5c0",
"target": {
"file": "drivers/net/wireless/ath/ath12k/dp_rx.c"
}
}
]