CVE-2025-21744: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs. The following sequence deletes the interface: brcmf_detach() brcmf_remove_interface() brcmf_del_if() Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. After brcmf_remove_interface() call the brcmf_proto_detach() function is called providing the following sequence: brcmf_detach() brcmf_proto_detach() brcmf_proto_msgbuf_detach() brcmf_flowring_detach() brcmf_msgbuf_delete_flowring() brcmf_msgbuf_remove_flowring() brcmf_flowring_delete() brcmf_get_ifp() brcmf_txfinalize() Since brcmf_get_ip() can and actually will return NULL in this case the call to brcmf_txfinalize() will result in a NULL pointer dereference inside brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors. This will only happen if a flowring still has an skb. Although the NULL pointer dereference has only been seen when trying to update the tx statistic, all other uses of the ifp pointer have been guarded as well with an early return if ifp is NULL.
AI Analysis
Technical Summary
CVE-2025-21744 is a vulnerability identified in the Linux kernel's Broadcom FullMAC wireless driver (brcmfmac). The issue arises during the removal of the wireless device or unloading of the kernel module, where a NULL pointer dereference can occur in the function brcmf_txfinalize(). The vulnerability is triggered when the driver attempts to update transmission statistics (specifically tx_errors) on a network interface pointer (ifp) that may have already been invalidated or set to NULL. The sequence leading to the fault involves the deletion of the wireless interface through a chain of function calls: brcmf_detach() calls brcmf_remove_interface(), which calls brcmf_del_if(), updating internal driver state by marking the interface index as invalid. Subsequently, brcmf_proto_detach() is called, which cascades through several functions eventually reaching brcmf_txfinalize(). Because brcmf_get_ifp() can return NULL after interface removal, brcmf_txfinalize() attempts to dereference a NULL pointer when updating network device statistics, causing a kernel NULL pointer dereference and likely a kernel crash (panic). This condition only manifests if a flowring (a data structure managing packet transmission queues) still holds a socket buffer (skb) at the time of interface removal. While other uses of the ifp pointer in the code are guarded against NULL, this particular update is not, leading to the vulnerability. The flaw is a classic use-after-free or stale pointer dereference scenario in kernel space, which can cause denial of service by crashing the kernel. No evidence currently indicates exploitation in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions containing the brcmfmac driver with the specified commit hashes, which are likely recent or development versions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily as a denial-of-service (DoS) vector on systems running vulnerable Linux kernels with Broadcom FullMAC wireless drivers. Many enterprise and industrial systems, including servers, embedded devices, and network appliances, rely on Linux and may use Broadcom wireless chipsets. A successful exploitation would cause the affected system's kernel to crash, resulting in service interruptions, potential data loss, and operational downtime. This can be particularly impactful in critical infrastructure sectors such as telecommunications, manufacturing, healthcare, and transportation, where wireless connectivity is essential. While the vulnerability does not appear to allow privilege escalation or remote code execution, the induced kernel panic could be leveraged by attackers to disrupt services or as part of a larger attack chain. Given the widespread use of Linux in European data centers, cloud environments, and IoT deployments, the vulnerability could affect a broad range of systems if unpatched. However, exploitation requires conditions such as unloading the wireless driver or device removal while transmission queues are active, which may limit the ease of triggering the fault remotely. Nonetheless, insider threats or malware with local access could exploit this to cause instability.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel updates that include the patch fixing the NULL pointer dereference in brcmf_txfinalize(). Since no patch links are provided, monitoring official Linux kernel mailing lists and vendor advisories for updates is critical. 2) Where immediate patching is not feasible, avoid unloading the brcmfmac kernel module or removing wireless devices while transmission queues are active to prevent triggering the fault. 3) Implement robust monitoring of kernel logs and system stability to detect early signs of crashes related to wireless driver issues. 4) For critical systems, consider disabling or replacing Broadcom FullMAC wireless hardware with alternatives not affected by this vulnerability. 5) Employ access controls to limit local user permissions, reducing the risk of malicious triggering of the vulnerability. 6) Use kernel lockdown features or secure boot mechanisms to prevent unauthorized kernel module unloading. 7) Engage with hardware and Linux distribution vendors to confirm the presence of patches and coordinate timely deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21744: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs. The following sequence deletes the interface: brcmf_detach() brcmf_remove_interface() brcmf_del_if() Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. After brcmf_remove_interface() call the brcmf_proto_detach() function is called providing the following sequence: brcmf_detach() brcmf_proto_detach() brcmf_proto_msgbuf_detach() brcmf_flowring_detach() brcmf_msgbuf_delete_flowring() brcmf_msgbuf_remove_flowring() brcmf_flowring_delete() brcmf_get_ifp() brcmf_txfinalize() Since brcmf_get_ip() can and actually will return NULL in this case the call to brcmf_txfinalize() will result in a NULL pointer dereference inside brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors. This will only happen if a flowring still has an skb. Although the NULL pointer dereference has only been seen when trying to update the tx statistic, all other uses of the ifp pointer have been guarded as well with an early return if ifp is NULL.
AI-Powered Analysis
Technical Analysis
CVE-2025-21744 is a vulnerability identified in the Linux kernel's Broadcom FullMAC wireless driver (brcmfmac). The issue arises during the removal of the wireless device or unloading of the kernel module, where a NULL pointer dereference can occur in the function brcmf_txfinalize(). The vulnerability is triggered when the driver attempts to update transmission statistics (specifically tx_errors) on a network interface pointer (ifp) that may have already been invalidated or set to NULL. The sequence leading to the fault involves the deletion of the wireless interface through a chain of function calls: brcmf_detach() calls brcmf_remove_interface(), which calls brcmf_del_if(), updating internal driver state by marking the interface index as invalid. Subsequently, brcmf_proto_detach() is called, which cascades through several functions eventually reaching brcmf_txfinalize(). Because brcmf_get_ifp() can return NULL after interface removal, brcmf_txfinalize() attempts to dereference a NULL pointer when updating network device statistics, causing a kernel NULL pointer dereference and likely a kernel crash (panic). This condition only manifests if a flowring (a data structure managing packet transmission queues) still holds a socket buffer (skb) at the time of interface removal. While other uses of the ifp pointer in the code are guarded against NULL, this particular update is not, leading to the vulnerability. The flaw is a classic use-after-free or stale pointer dereference scenario in kernel space, which can cause denial of service by crashing the kernel. No evidence currently indicates exploitation in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions containing the brcmfmac driver with the specified commit hashes, which are likely recent or development versions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily as a denial-of-service (DoS) vector on systems running vulnerable Linux kernels with Broadcom FullMAC wireless drivers. Many enterprise and industrial systems, including servers, embedded devices, and network appliances, rely on Linux and may use Broadcom wireless chipsets. A successful exploitation would cause the affected system's kernel to crash, resulting in service interruptions, potential data loss, and operational downtime. This can be particularly impactful in critical infrastructure sectors such as telecommunications, manufacturing, healthcare, and transportation, where wireless connectivity is essential. While the vulnerability does not appear to allow privilege escalation or remote code execution, the induced kernel panic could be leveraged by attackers to disrupt services or as part of a larger attack chain. Given the widespread use of Linux in European data centers, cloud environments, and IoT deployments, the vulnerability could affect a broad range of systems if unpatched. However, exploitation requires conditions such as unloading the wireless driver or device removal while transmission queues are active, which may limit the ease of triggering the fault remotely. Nonetheless, insider threats or malware with local access could exploit this to cause instability.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel updates that include the patch fixing the NULL pointer dereference in brcmf_txfinalize(). Since no patch links are provided, monitoring official Linux kernel mailing lists and vendor advisories for updates is critical. 2) Where immediate patching is not feasible, avoid unloading the brcmfmac kernel module or removing wireless devices while transmission queues are active to prevent triggering the fault. 3) Implement robust monitoring of kernel logs and system stability to detect early signs of crashes related to wireless driver issues. 4) For critical systems, consider disabling or replacing Broadcom FullMAC wireless hardware with alternatives not affected by this vulnerability. 5) Employ access controls to limit local user permissions, reducing the risk of malicious triggering of the vulnerability. 6) Use kernel lockdown features or secure boot mechanisms to prevent unauthorized kernel module unloading. 7) Engage with hardware and Linux distribution vendors to confirm the presence of patches and coordinate timely deployment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.757Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe865d
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 8:42:24 AM
Last updated: 8/4/2025, 8:11:42 AM
Views: 17
Related Threats
CVE-2025-8583: Inappropriate implementation in Google Chrome
MediumCVE-2025-8582: Insufficient validation of untrusted input in Google Chrome
MediumCVE-2025-8581: Inappropriate implementation in Google Chrome
MediumCVE-2025-8580: Inappropriate implementation in Google Chrome
MediumCVE-2025-8579: Inappropriate implementation in Google Chrome
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.