CVE-2025-39891
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: Initialize the chan_stats array to zero
The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey().
There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also the mwifiex_update_chan_statistics() function doesn't necessarily initialize the whole array. Since the array was not initialized at the start that could result in an information leak.
Also this array is pretty small. It's a maximum of 900 bytes so it's more appropriate to use kcalloc() instead vmalloc().
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | bf35443314acb43fa8a3f9f8046e14cbe178762b < 9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65 | affected |
| Linux | Linux | bf35443314acb43fa8a3f9f8046e14cbe178762b < 05daef0442d28350a1a0d6d0e2cab4a7a91df475 | affected |
| Linux | Linux | bf35443314acb43fa8a3f9f8046e14cbe178762b < acdf26a912190fc6746e2a890d7d0338190527b4 | affected |
| Linux | Linux | bf35443314acb43fa8a3f9f8046e14cbe178762b < 32c124c9c03aa755cbaf60ef7f76afd918d47659 | affected |
| Linux | Linux | bf35443314acb43fa8a3f9f8046e14cbe178762b < 9df29aa5637d94d24f7c5f054ef4feaa7b766111 | affected |
| Linux | Linux | bf35443314acb43fa8a3f9f8046e14cbe178762b < 06616410a3e5e6cd1de5b7cbc668f1a7edeedad9 | affected |
| Linux | Linux | bf35443314acb43fa8a3f9f8046e14cbe178762b < 5285b7009dc1e09d5bb9e05fae82e1a807882dbc | affected |
| Linux | Linux | bf35443314acb43fa8a3f9f8046e14cbe178762b < 0e20450829ca3c1dbc2db536391537c57a40fe0b | affected |
| Linux | Linux | 3.19 | affected |
| Linux | Linux | 0 < 3.19 | unaffected |
| Linux | Linux | 5.4.299 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.243 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.192 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.151 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.105 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.46 <= 6.12.* | unaffected |
| Linux | Linux | 6.16.6 <= 6.16.* | unaffected |
| Linux | Linux | 6.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
References
- https://git.kernel.org/stable/c/9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65
- https://git.kernel.org/stable/c/05daef0442d28350a1a0d6d0e2cab4a7a91df475
- https://git.kernel.org/stable/c/acdf26a912190fc6746e2a890d7d0338190527b4
- https://git.kernel.org/stable/c/32c124c9c03aa755cbaf60ef7f76afd918d47659
- https://git.kernel.org/stable/c/9df29aa5637d94d24f7c5f054ef4feaa7b766111
- https://git.kernel.org/stable/c/06616410a3e5e6cd1de5b7cbc668f1a7edeedad9
- https://git.kernel.org/stable/c/5285b7009dc1e09d5bb9e05fae82e1a807882dbc
- https://git.kernel.org/stable/c/0e20450829ca3c1dbc2db536391537c57a40fe0b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.