CVE-2025-37794: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Purge vif txq in ieee80211_do_stop() After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv. Thus if ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to trigger the NULL deref below. Unable to handle kernel paging request at virtual address dfffffc000000001 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] batman_adv: bat0: Interface deactivated: brbh1337 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfffffc000000001] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114 Hardware name: HW (DT) pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k] sp : ffffffc086ace450 x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4 x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0 x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958 x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8 x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03 x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40 x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0 x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008 Call trace: ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P) ieee80211_handle_wake_tx_queue+0x16c/0x260 ieee80211_queue_skb+0xeec/0x1d20 ieee80211_tx+0x200/0x2c8 ieee80211_xmit+0x22c/0x338 __ieee80211_subif_start_xmit+0x7e8/0xc60 ieee80211_subif_start_xmit+0xc4/0xee0 __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0 ieee80211_subif_start_xmit_8023+0x124/0x488 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 br_dev_queue_push_xmit+0x120/0x4a8 __br_forward+0xe4/0x2b0 deliver_clone+0x5c/0xd0 br_flood+0x398/0x580 br_dev_xmit+0x454/0x9f8 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 ip6_finish_output2+0xc28/0x1b60 __ip6_finish_output+0x38c/0x638 ip6_output+0x1b4/0x338 ip6_local_out+0x7c/0xa8 ip6_send_skb+0x7c/0x1b0 ip6_push_pending_frames+0x94/0xd0 rawv6_sendmsg+0x1a98/0x2898 inet_sendmsg+0x94/0xe0 __sys_sendto+0x1e4/0x308 __arm64_sys_sendto+0xc4/0x140 do_el0_svc+0x110/0x280 el0_svc+0x20/0x60 el0t_64_sync_handler+0x104/0x138 el0t_64_sync+0x154/0x158 To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could be dequeued after ieee80211_do_stop() (new packets cannot be queued because SDATA_STATE_RUNNING is cleared at this point).
AI Analysis
Technical Summary
CVE-2025-37794 is a vulnerability in the Linux kernel's mac80211 wireless subsystem, specifically related to the handling of virtual interface (vif) transmit queues (txq) during interface stop operations. The issue arises in the ieee80211_do_stop() function, where the vif's txq is not properly purged before the vif.drv_priv pointer is cleared. This leads to a race condition where concurrent calls to ieee80211_handle_wake_tx_queue() can dequeue packets from the txq without verifying the current state of the wireless interface (sdata). Since vif.drv_priv is cleared, subsequent driver operations that rely on this pointer, such as ath12k_mac_op_tx() in the ath12k driver, may dereference a NULL pointer, causing a kernel crash (NULL pointer dereference). The vulnerability manifests as a kernel oops and memory abort due to invalid memory access, leading to denial of service (DoS) conditions on affected systems. The root cause is that packets can still be processed after the interface has been stopped, violating expected state assumptions. The fix involves emptying the vif's txq within ieee80211_do_stop() to ensure no packets remain to be dequeued after the interface stops, preventing the NULL dereference. This vulnerability affects Linux kernel versions including commit ba8c3d6f16a1f9305c23ac1d2fd3992508c5ac03 and likely related versions containing the vulnerable code. No known exploits are reported in the wild as of the publication date (May 1, 2025).
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the affected mac80211 wireless stack, especially those using the ath12k wireless driver or similar drivers relying on vif.drv_priv pointers. The impact is a potential denial of service via kernel crashes triggered by race conditions in wireless packet transmission queues. This can disrupt wireless network connectivity, affecting critical infrastructure, enterprise networks, and wireless-enabled devices. The DoS could lead to operational downtime, loss of productivity, and potential cascading failures in network-dependent services. Since the vulnerability is in the kernel, it affects all applications relying on wireless networking, including embedded devices, servers, and user endpoints. Confidentiality and integrity impacts are limited as the vulnerability does not directly enable code execution or privilege escalation, but availability is severely impacted. The lack of requirement for user interaction or authentication to trigger the issue increases the threat level, especially in environments with exposed wireless interfaces or untrusted users. European organizations with extensive Linux deployments in wireless environments, such as telecommunications, manufacturing, and public sector, are at risk of service interruptions and must prioritize patching.
Mitigation Recommendations
1. Immediate deployment of Linux kernel updates that include the patch for CVE-2025-37794 is critical. Organizations should track vendor advisories and apply kernel patches promptly. 2. For systems where immediate patching is not feasible, disable or restrict wireless interfaces using the affected drivers (e.g., ath12k) to prevent exploitation. 3. Implement kernel crash monitoring and alerting to detect early signs of exploitation attempts or instability related to wireless interfaces. 4. Use network segmentation to isolate critical systems from untrusted wireless networks, reducing exposure. 5. Employ strict access controls and network policies to limit the ability of unprivileged users or processes to interact with wireless interfaces. 6. For embedded or IoT devices running affected kernels, coordinate with vendors for firmware updates or consider device replacement if patches are unavailable. 7. Conduct thorough testing of wireless driver updates in staging environments to ensure stability before production deployment. 8. Maintain up-to-date inventory of Linux kernel versions and wireless drivers in use to prioritize remediation efforts effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-37794: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Purge vif txq in ieee80211_do_stop() After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv. Thus if ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to trigger the NULL deref below. Unable to handle kernel paging request at virtual address dfffffc000000001 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] batman_adv: bat0: Interface deactivated: brbh1337 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfffffc000000001] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114 Hardware name: HW (DT) pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k] sp : ffffffc086ace450 x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4 x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0 x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958 x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8 x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03 x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40 x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0 x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008 Call trace: ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P) ieee80211_handle_wake_tx_queue+0x16c/0x260 ieee80211_queue_skb+0xeec/0x1d20 ieee80211_tx+0x200/0x2c8 ieee80211_xmit+0x22c/0x338 __ieee80211_subif_start_xmit+0x7e8/0xc60 ieee80211_subif_start_xmit+0xc4/0xee0 __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0 ieee80211_subif_start_xmit_8023+0x124/0x488 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 br_dev_queue_push_xmit+0x120/0x4a8 __br_forward+0xe4/0x2b0 deliver_clone+0x5c/0xd0 br_flood+0x398/0x580 br_dev_xmit+0x454/0x9f8 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 ip6_finish_output2+0xc28/0x1b60 __ip6_finish_output+0x38c/0x638 ip6_output+0x1b4/0x338 ip6_local_out+0x7c/0xa8 ip6_send_skb+0x7c/0x1b0 ip6_push_pending_frames+0x94/0xd0 rawv6_sendmsg+0x1a98/0x2898 inet_sendmsg+0x94/0xe0 __sys_sendto+0x1e4/0x308 __arm64_sys_sendto+0xc4/0x140 do_el0_svc+0x110/0x280 el0_svc+0x20/0x60 el0t_64_sync_handler+0x104/0x138 el0t_64_sync+0x154/0x158 To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could be dequeued after ieee80211_do_stop() (new packets cannot be queued because SDATA_STATE_RUNNING is cleared at this point).
AI-Powered Analysis
Technical Analysis
CVE-2025-37794 is a vulnerability in the Linux kernel's mac80211 wireless subsystem, specifically related to the handling of virtual interface (vif) transmit queues (txq) during interface stop operations. The issue arises in the ieee80211_do_stop() function, where the vif's txq is not properly purged before the vif.drv_priv pointer is cleared. This leads to a race condition where concurrent calls to ieee80211_handle_wake_tx_queue() can dequeue packets from the txq without verifying the current state of the wireless interface (sdata). Since vif.drv_priv is cleared, subsequent driver operations that rely on this pointer, such as ath12k_mac_op_tx() in the ath12k driver, may dereference a NULL pointer, causing a kernel crash (NULL pointer dereference). The vulnerability manifests as a kernel oops and memory abort due to invalid memory access, leading to denial of service (DoS) conditions on affected systems. The root cause is that packets can still be processed after the interface has been stopped, violating expected state assumptions. The fix involves emptying the vif's txq within ieee80211_do_stop() to ensure no packets remain to be dequeued after the interface stops, preventing the NULL dereference. This vulnerability affects Linux kernel versions including commit ba8c3d6f16a1f9305c23ac1d2fd3992508c5ac03 and likely related versions containing the vulnerable code. No known exploits are reported in the wild as of the publication date (May 1, 2025).
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux kernels with the affected mac80211 wireless stack, especially those using the ath12k wireless driver or similar drivers relying on vif.drv_priv pointers. The impact is a potential denial of service via kernel crashes triggered by race conditions in wireless packet transmission queues. This can disrupt wireless network connectivity, affecting critical infrastructure, enterprise networks, and wireless-enabled devices. The DoS could lead to operational downtime, loss of productivity, and potential cascading failures in network-dependent services. Since the vulnerability is in the kernel, it affects all applications relying on wireless networking, including embedded devices, servers, and user endpoints. Confidentiality and integrity impacts are limited as the vulnerability does not directly enable code execution or privilege escalation, but availability is severely impacted. The lack of requirement for user interaction or authentication to trigger the issue increases the threat level, especially in environments with exposed wireless interfaces or untrusted users. European organizations with extensive Linux deployments in wireless environments, such as telecommunications, manufacturing, and public sector, are at risk of service interruptions and must prioritize patching.
Mitigation Recommendations
1. Immediate deployment of Linux kernel updates that include the patch for CVE-2025-37794 is critical. Organizations should track vendor advisories and apply kernel patches promptly. 2. For systems where immediate patching is not feasible, disable or restrict wireless interfaces using the affected drivers (e.g., ath12k) to prevent exploitation. 3. Implement kernel crash monitoring and alerting to detect early signs of exploitation attempts or instability related to wireless interfaces. 4. Use network segmentation to isolate critical systems from untrusted wireless networks, reducing exposure. 5. Employ strict access controls and network policies to limit the ability of unprivileged users or processes to interact with wireless interfaces. 6. For embedded or IoT devices running affected kernels, coordinate with vendors for firmware updates or consider device replacement if patches are unavailable. 7. Conduct thorough testing of wireless driver updates in staging environments to ensure stability before production deployment. 8. Maintain up-to-date inventory of Linux kernel versions and wireless drivers in use to prioritize remediation efforts effectively.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.941Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe846f
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 11:25:56 PM
Last updated: 8/16/2025, 12:47:44 AM
Views: 18
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.