CVE-2025-38513

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()

There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible:

	T0			    		T1

zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) {

				  filter_ack()
				    spin_lock_irqsave(&q->lock, flags);
				    /* position == skb_queue_len(q) */
				    for (i=1; i<position; i++)
			    	      skb = __skb_dequeue(q)

				    if (mac->type == NL80211_IFTYPE_AP)
				      skb = __skb_dequeue(q);
				    spin_unlock_irqrestore(&q->lock, flags);

skb_dequeue() -> NULL

Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.

In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux459c51ad6e1fc19e91a53798358433d3c08cd09d < c1958270de947604cc6de05fc96dbba256b49cf0affected
LinuxLinux459c51ad6e1fc19e91a53798358433d3c08cd09d < 014c34dc132015c4f918ada4982e952947ac1047affected
LinuxLinux459c51ad6e1fc19e91a53798358433d3c08cd09d < b24f65c184540dfb967479320ecf7e8c2e9220dcaffected
LinuxLinux459c51ad6e1fc19e91a53798358433d3c08cd09d < adf08c96b963c7cd7ec1ee1c0c556228d9bedaaeaffected
LinuxLinux459c51ad6e1fc19e91a53798358433d3c08cd09d < 5420de65efbeb6503bcf1d43451c9df67ad60298affected
LinuxLinux459c51ad6e1fc19e91a53798358433d3c08cd09d < fcd9c923b58e86501450b9b442ccc7ce4a8d0fdaaffected
LinuxLinux459c51ad6e1fc19e91a53798358433d3c08cd09d < 602b4eb2f25668de15de69860ec99caf65b3684daffected
LinuxLinux459c51ad6e1fc19e91a53798358433d3c08cd09d < 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023affected
LinuxLinux2.6.25affected
LinuxLinux0 < 2.6.25unaffected
LinuxLinux5.4.296 <= 5.4.*unaffected
LinuxLinux5.10.240 <= 5.10.*unaffected
LinuxLinux5.15.189 <= 5.15.*unaffected
LinuxLinux6.1.146 <= 6.1.*unaffected
LinuxLinux6.6.99 <= 6.6.*unaffected
LinuxLinux6.12.39 <= 6.12.*unaffected
LinuxLinux6.15.7 <= 6.15.*unaffected
LinuxLinux6.16 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References