CVE-2025-38646

With a quite rare chance, RX report might be problematic to make SW think a packet is received on 6 GHz band even if the chip does not support 6 GHz band actually. Since SW won't initialize stuffs for unsupported bands, NULL dereference will happen then in the sequence, rtw89vifrxstatsiter() -> rtw89corecancel6ghzprobe_tx(). So, add a check to avoid it.

The following is a crash log for this case.

BUG: kernel NULL pointer dereference, address: 0000000000000032 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1907 Comm: irq/131-rtw89p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4) Hardware name: Google Telith/Telith, BIOS GoogleTelith.15217.747.0 11/12/2024 RIP: 0010:rtw89vifrxstatsiter+0xd2/0x310 [rtw89core] Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85 RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246 RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011 RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6 RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000 R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4 R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <IRQ> ? _diebody+0x68/0xb0 ? pagefaultoops+0x379/0x3e0 ? excpagefault+0x4f/0xa0 ? asmexcpagefault+0x22/0x30 ? _pfxrtw89vifrxstatsiter+0x10/0x10 [rtw89core (HASH:1400 5)] ? rtw89vifrxstatsiter+0xd2/0x310 [rtw89core (HASH:1400 5)] _iterateinterfaces+0x59/0x110 [mac80211 (HASH:1400 6)] ? _pfxrtw89vifrxstatsiter+0x10/0x10 [rtw89core (HASH:1400 5)] ? _pfxrtw89vifrxstatsiter+0x10/0x10 [rtw89core (HASH:1400 5)] ieee80211iterateactiveinterfacesatomic+0x36/0x50 [mac80211 (HASH:1400 6)] rtw89corerxtomac80211+0xfd/0x1b0 [rtw89core (HASH:1400 5)] rtw89corerx+0x43a/0x980 [rtw89_core (HASH:1400 5)]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0

Fixed

892b29eab44b1803d2cad8e50f1bc2144ef478cb

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0

Fixed

77a7a48f87d673a68664bebf044214821decbfda

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0

Fixed

f3527ac15a00916e68ecb495b74dbe6a6c62a06f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0

Fixed

4b525630729082f026e7030eafccf89e3add7eae

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c6aa9a9c47252ac7b07ed6d10459027e2f2a2de0

Fixed

7e04f01bb94fe61c73cc59f0495c3b6c16a83231

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.4

v6.12.40

v6.12.41

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.15.6

v6.15.7

v6.15.8

v6.15.9

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.2

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.100

v6.6.101

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.6

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.7

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.8

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.9

v6.6.90

v6.6.91

v6.6.92

v6.6.93

v6.6.94

v6.6.95

v6.6.96

v6.6.97

v6.6.98

v6.6.99

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "332261096944371504028498822397789114328",
                "50881005660589892458427862941904705535",
                "52914052740485308675448993885594953836"
            ]
        },
        "id": "CVE-2025-38646-2091ea3c",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e04f01bb94fe61c73cc59f0495c3b6c16a83231",
        "target": {
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "function_hash": "108183317543559095839841111217980727079",
            "length": 815.0
        },
        "id": "CVE-2025-38646-4138dad9",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f3527ac15a00916e68ecb495b74dbe6a6c62a06f",
        "target": {
            "function": "rtw89_core_cancel_6ghz_probe_tx",
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "332261096944371504028498822397789114328",
                "50881005660589892458427862941904705535",
                "52914052740485308675448993885594953836"
            ]
        },
        "id": "CVE-2025-38646-475fa93e",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@892b29eab44b1803d2cad8e50f1bc2144ef478cb",
        "target": {
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "function_hash": "108183317543559095839841111217980727079",
            "length": 815.0
        },
        "id": "CVE-2025-38646-553285ba",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e04f01bb94fe61c73cc59f0495c3b6c16a83231",
        "target": {
            "function": "rtw89_core_cancel_6ghz_probe_tx",
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "function_hash": "27098220198399409202417116957108940134",
            "length": 806.0
        },
        "id": "CVE-2025-38646-6f8f8839",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@77a7a48f87d673a68664bebf044214821decbfda",
        "target": {
            "function": "rtw89_core_cancel_6ghz_probe_tx",
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "function_hash": "108183317543559095839841111217980727079",
            "length": 815.0
        },
        "id": "CVE-2025-38646-86b04e4c",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4b525630729082f026e7030eafccf89e3add7eae",
        "target": {
            "function": "rtw89_core_cancel_6ghz_probe_tx",
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "function_hash": "27098220198399409202417116957108940134",
            "length": 806.0
        },
        "id": "CVE-2025-38646-a0413d2c",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@892b29eab44b1803d2cad8e50f1bc2144ef478cb",
        "target": {
            "function": "rtw89_core_cancel_6ghz_probe_tx",
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "332261096944371504028498822397789114328",
                "50881005660589892458427862941904705535",
                "52914052740485308675448993885594953836"
            ]
        },
        "id": "CVE-2025-38646-af53c027",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4b525630729082f026e7030eafccf89e3add7eae",
        "target": {
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "332261096944371504028498822397789114328",
                "50881005660589892458427862941904705535",
                "52914052740485308675448993885594953836"
            ]
        },
        "id": "CVE-2025-38646-ca83ce21",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f3527ac15a00916e68ecb495b74dbe6a6c62a06f",
        "target": {
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "332261096944371504028498822397789114328",
                "50881005660589892458427862941904705535",
                "52914052740485308675448993885594953836"
            ]
        },
        "id": "CVE-2025-38646-f6a00935",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@77a7a48f87d673a68664bebf044214821decbfda",
        "target": {
            "file": "drivers/net/wireless/realtek/rtw89/core.c"
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.6.102

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.42

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.10

Type: ECOSYSTEM
Events: Introduced

6.16.0

Fixed

6.16.1