CVE-2025-38450

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38450
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38450.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38450
Downstream
Published
2025-07-25T16:15:30Z
Modified
2025-08-13T12:49:56.984287Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925stasetdecapoffload()

Add a NULL check for msta->vif before accessing its members to prevent a kernel panic in AP mode deployment. This also fix the issue reported in [1].

The crash occurs when this function is triggered before the station is fully initialized. The call trace shows a page fault at mt7925stasetdecapoffload() due to accessing resources when msta->vif is NULL.

Fix this by adding an early return if msta->vif is NULL and also check wcid.sta is ready. This ensures we only proceed with decap offload configuration when the station's state is properly initialized.

[14739.655703] Unable to handle kernel paging request at virtual address ffffffffffffffa0 [14739.811820] CPU: 0 UID: 0 PID: 895854 Comm: hostapd Tainted: G [14739.821394] Tainted: [C]=CRAP, [O]=OOTMODULE [14739.825746] Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) [14739.831577] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [14739.838538] pc : mt7925stasetdecapoffload+0xc0/0x1b8 [mt7925common] [14739.845271] lr : mt7925stasetdecapoffload+0x58/0x1b8 [mt7925common] [14739.851985] sp : ffffffc085efb500 [14739.855295] x29: ffffffc085efb500 x28: 0000000000000000 x27: ffffff807803a158 [14739.862436] x26: ffffff8041ececb8 x25: 0000000000000001 x24: 0000000000000001 [14739.869577] x23: 0000000000000001 x22: 0000000000000008 x21: ffffff8041ecea88 [14739.876715] x20: ffffff8041c19ca0 x19: ffffff8078031fe0 x18: 0000000000000000 [14739.883853] x17: 0000000000000000 x16: ffffffe2aeac1110 x15: 000000559da48080 [14739.890991] x14: 0000000000000001 x13: 0000000000000000 x12: 0000000000000000 [14739.898130] x11: 0a10020001008e88 x10: 0000000000001a50 x9 : ffffffe26457bfa0 [14739.905269] x8 : ffffff8042013bb0 x7 : ffffff807fb6cbf8 x6 : dead000000000100 [14739.912407] x5 : dead000000000122 x4 : ffffff80780326c8 x3 : 0000000000000000 [14739.919546] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff8041ececb8 [14739.926686] Call trace: [14739.929130] mt7925stasetdecapoffload+0xc0/0x1b8 [mt7925common] [14739.935505] ieee80211checkfastrx+0x19c/0x510 [mac80211] [14739.941344] _stainfomovestate+0xe4/0x510 [mac80211] [14739.946860] stainfomovestate+0x1c/0x30 [mac80211] [14739.952116] staapplyauthflags.constprop.0+0x90/0x1b0 [mac80211] [14739.958708] staapplyparameters+0x234/0x5e0 [mac80211] [14739.964332] ieee80211addstation+0xdc/0x190 [mac80211] [14739.969950] nl80211newstation+0x46c/0x670 [cfg80211] [14739.975516] genlfamilyrcvmsgdoit+0xdc/0x150 [14739.980158] genlrcvmsg+0x218/0x298 [14739.983830] netlinkrcvskb+0x64/0x138 [14739.987670] genlrcv+0x40/0x60 [14739.990816] netlinkunicast+0x314/0x380 [14739.994742] netlinksendmsg+0x198/0x3f0 [14739.998664] socksendmsg+0x64/0xc0 [14740.002324] syssendmsg+0x260/0x298 [14740.006242] _syssendmsg+0xb4/0x110

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.41-1

Affected versions

6.*

6.12.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.12.38-1
6.13~rc6-1~exp1
6.13~rc7-1~exp1
6.13.2-1~exp1
6.13.3-1~exp1
6.13.4-1~exp1
6.13.5-1~exp1
6.13.6-1~exp1
6.13.7-1~exp1
6.13.8-1~exp1
6.13.9-1~exp1
6.13.10-1~exp1
6.13.11-1~exp1
6.14.3-1~exp1
6.14.5-1~exp1
6.14.6-1~exp1
6.15~rc7-1~exp1
6.15-1~exp1
6.15.1-1~exp1
6.15.2-1~exp1
6.15.3-1~exp1
6.15.4-1~exp1
6.15.5-1~exp1
6.15.6-1~exp1
6.16~rc7-1~exp1
6.16-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}