CVE-2025-38513
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38513
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38513.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38513
- Downstream
- Related
- Published
- 2025-08-16T11:15:44Z
- Modified
- 2025-08-30T18:01:34Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
wifi: zd1211rw: Fix potential NULL pointer dereference in zdmactxtodev()
There is a potential NULL pointer dereference in zdmactxtodev(). For example, the following is possible:
T0 T1zdmactxtodev() /* len == skbqueuelen(q) */ while (len > ZDMACMAXACKWAITERS) {
filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULLSince there is a small gap between checking skb queue length and skb being unconditionally dequeued in zdmactxtodev(), skbdequeue() can return NULL. Then the pointer is passed to zdmactxstatus() where it is dereferenced.
In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zdmactx_status().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
- References
-
- https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047
- https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298
- https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d
- https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023
- https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae
- https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc
- https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0
- https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda