CVE-2025-39891

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: mwifiex: Initialize the chan_stats array to zero

The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey().

There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also the mwifiex_update_chan_statistics() function doesn't necessarily initialize the whole array. Since the array was not initialized at the start that could result in an information leak.

Also this array is pretty small. It's a maximum of 900 bytes so it's more appropriate to use kcalloc() instead vmalloc().

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxbf35443314acb43fa8a3f9f8046e14cbe178762b < 9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65affected
LinuxLinuxbf35443314acb43fa8a3f9f8046e14cbe178762b < 05daef0442d28350a1a0d6d0e2cab4a7a91df475affected
LinuxLinuxbf35443314acb43fa8a3f9f8046e14cbe178762b < acdf26a912190fc6746e2a890d7d0338190527b4affected
LinuxLinuxbf35443314acb43fa8a3f9f8046e14cbe178762b < 32c124c9c03aa755cbaf60ef7f76afd918d47659affected
LinuxLinuxbf35443314acb43fa8a3f9f8046e14cbe178762b < 9df29aa5637d94d24f7c5f054ef4feaa7b766111affected
LinuxLinuxbf35443314acb43fa8a3f9f8046e14cbe178762b < 06616410a3e5e6cd1de5b7cbc668f1a7edeedad9affected
LinuxLinuxbf35443314acb43fa8a3f9f8046e14cbe178762b < 5285b7009dc1e09d5bb9e05fae82e1a807882dbcaffected
LinuxLinuxbf35443314acb43fa8a3f9f8046e14cbe178762b < 0e20450829ca3c1dbc2db536391537c57a40fe0baffected
LinuxLinux3.19affected
LinuxLinux0 < 3.19unaffected
LinuxLinux5.4.299 <= 5.4.*unaffected
LinuxLinux5.10.243 <= 5.10.*unaffected
LinuxLinux5.15.192 <= 5.15.*unaffected
LinuxLinux6.1.151 <= 6.1.*unaffected
LinuxLinux6.6.105 <= 6.6.*unaffected
LinuxLinux6.12.46 <= 6.12.*unaffected
LinuxLinux6.16.6 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References