CVE-2025-38646

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38646
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38646.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38646
Downstream
Related
Published
2025-08-22T16:15:38Z
Modified
2025-09-06T13:01:26Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band

With a quite rare chance, RX report might be problematic to make SW think a packet is received on 6 GHz band even if the chip does not support 6 GHz band actually. Since SW won't initialize stuffs for unsupported bands, NULL dereference will happen then in the sequence, rtw89vifrxstatsiter() -> rtw89corecancel6ghzprobe_tx(). So, add a check to avoid it.

The following is a crash log for this case.

BUG: kernel NULL pointer dereference, address: 0000000000000032 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1907 Comm: irq/131-rtw89p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4) Hardware name: Google Telith/Telith, BIOS GoogleTelith.15217.747.0 11/12/2024 RIP: 0010:rtw89vifrxstatsiter+0xd2/0x310 [rtw89core] Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85 RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246 RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011 RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6 RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000 R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4 R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <IRQ> ? _diebody+0x68/0xb0 ? pagefaultoops+0x379/0x3e0 ? excpagefault+0x4f/0xa0 ? asmexcpagefault+0x22/0x30 ? _pfxrtw89vifrxstatsiter+0x10/0x10 [rtw89core (HASH:1400 5)] ? rtw89vifrxstatsiter+0xd2/0x310 [rtw89core (HASH:1400 5)] _iterateinterfaces+0x59/0x110 [mac80211 (HASH:1400 6)] ? _pfxrtw89vifrxstatsiter+0x10/0x10 [rtw89core (HASH:1400 5)] ? _pfxrtw89vifrxstatsiter+0x10/0x10 [rtw89core (HASH:1400 5)] ieee80211iterateactiveinterfacesatomic+0x36/0x50 [mac80211 (HASH:1400 6)] rtw89corerxtomac80211+0xfd/0x1b0 [rtw89core (HASH:1400 5)] rtw89corerx+0x43a/0x980 [rtw89_core (HASH:1400 5)]

References

Affected packages