CVE-2025-21730 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: avoid to init mgnt_entry list twice when WoWLAN failed
If WoWLAN failed in resume flow, the rtw89_ops_add_interface() triggered without removing the interface first. Then the mgnt_entry list init again, causing the list_empty() check in rtw89_chanctx_ops_assign_vif() useless, and list_add_tail() again. Therefore, we have added a check to prevent double adding of the list.
rtw89_8852ce 0000:01:00.0: failed to check wow status disabled rtw89_8852ce 0000:01:00.0: wow: failed to check disable fw ready rtw89_8852ce 0000:01:00.0: wow: failed to swap to normal fw rtw89_8852ce 0000:01:00.0: failed to disable wow rtw89_8852ce 0000:01:00.0: failed to resume for wow -110 rtw89_8852ce 0000:01:00.0: MAC has already powered on i2c_hid_acpi i2c-ILTK0001:00: PM: acpi_subsys_resume+0x0/0x60 returned 0 after 284705 usecs list_add corruption. prev->next should be next (ffff9d9719d82228), but was ffff9d9719f96030. (prev=ffff9d9719f96030). ------------[ cut here ]------------
kernel BUG at lib/list_debug.c:34! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 6918 Comm: kworker/u8:19 Tainted: G U O Hardware name: Google Anraggar/Anraggar, BIOS Google_Anraggar.15217.514.0 03/25/2024 Workqueue: events_unbound async_run_entry_fn RIP: 0010:__list_add_valid_or_report+0x9f/0xb0 Code: e8 56 89 ff ff 0f 0b 48 c7 c7 3e fc e0 96 48 89 c6 e8 45 89 ff ... RSP: 0018:ffffa51b42bbbaf0 EFLAGS: 00010246 RAX: 0000000000000075 RBX: ffff9d9719d82ab0 RCX: 13acb86e047a4400 RDX: 3fffffffffffffff RSI: 0000000000000000 RDI: 00000000ffffdfff RBP: ffffa51b42bbbb28 R08: ffffffff9768e250 R09: 0000000000001fff R10: ffffffff9765e250 R11: 0000000000005ffd R12: ffff9d9719f95c40 R13: ffff9d9719f95be8 R14: ffff9d97081bfd78 R15: ffff9d9719d82060 FS: 0000000000000000(0000) GS:ffff9d9a6fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007e7d029a4060 CR3: 0000000345e38000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: ? __die_body+0x68/0xb0 ? die+0xaa/0xd0 ? do_trap+0x9f/0x170 ? __list_add_valid_or_report+0x9f/0xb0 ? __list_add_valid_or_report+0x9f/0xb0 ? handle_invalid_op+0x69/0x90 ? __list_add_valid_or_report+0x9f/0xb0 ? exc_invalid_op+0x3c/0x50 ? asm_exc_invalid_op+0x16/0x20 ? __list_add_valid_or_report+0x9f/0xb0 rtw89_chanctx_ops_assign_vif+0x1f9/0x210 [rtw89_core cbb375c44bf28564ce479002bff66617a25d9ac1]
? __mutex_unlock_slowpath+0xa0/0xf0 rtw89_ops_assign_vif_chanctx+0x4b/0x90 [rtw89_core cbb375c44bf28564ce479002bff66617a25d9ac1]
drv_assign_vif_chanctx+0xa7/0x1f0 [mac80211 6efaad16237edaaea0868b132d4f93ecf918a8b6]
ieee80211_reconfig+0x9cb/0x17b0 [mac80211 6efaad16237edaaea0868b132d4f93ecf918a8b6]
? __pfx_wiphy_resume+0x10/0x10 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]
? dev_printk_emit+0x51/0x70 ? _dev_info+0x6e/0x90 wiphy_resume+0x89/0x180 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]
? __pfx_wiphy_resume+0x10/0x10 [cfg80211 572d03acaaa933fe38251be7fce3b3675284b8ed]
dpm_run_callback+0x37/0x1e0 device_resume+0x26d/0x4b0 ? __pfx_dpm_watchdog_handler+0x10/0x10 async_resume+0x1d/0x30 async_run_entry_fn+0x29/0xd0 worker_thread+0x397/0x970 kthread+0xed/0x110 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x38/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability described in CVE-2025-21730 affects the Linux kernel's wireless subsystem, specifically within the rtw89 driver which manages Realtek 802.11 wireless devices. This issue manifests during the Wake-on-Wireless (WoWLAN) resume operation, where a failure in the WoWLAN process leads to improper handling of management entry lists. The root cause lies in the driver's inability to correctly manage the lifecycle of wireless interface management entries when WoWLAN fails, resulting in a double initialization of the mgnt_entry list. This flaw is classified under CWE-691, which pertains to insufficient control flow management, and aligns with ATT&CK technique T1059.006 for execution through kernel modules.
The technical exploitation of this vulnerability occurs when the rtw89_ops_add_interface() function is invoked without first removing the interface, causing the management entry list to be initialized a second time. This duplication corrupts the linked list structure used by the kernel's networking subsystem, specifically breaking the list_empty() check in rtw89_chanctx_ops_assign_vif(). The subsequent list_add_tail() operation then attempts to insert duplicate entries into the corrupted list, leading to memory corruption. The kernel logs indicate a failure in WoWLAN disable operations and a subsequent list corruption error, with the message "list_add corruption. prev->next should be next" pointing directly to the problematic behavior. The system ultimately crashes with a kernel BUG at lib/list_debug.c, indicating a critical failure in the kernel's list management subsystem.
The operational impact of this vulnerability is severe as it can lead to system instability and potential denial of service conditions. When a wireless interface fails to properly resume from WoWLAN state, the kernel may crash or become unresponsive, affecting network connectivity and system reliability. This vulnerability particularly impacts systems using Realtek 8852ce wireless adapters and other devices managed by the rtw89 driver. The flaw can be triggered during normal system operation when WoWLAN functionality is utilized, making it a persistent risk for devices that rely on wireless power management features. The crash occurs during the normal execution flow of kernel workqueues, indicating that the vulnerability can be exploited through legitimate system operations rather than requiring special privileges or specific malicious input.
Mitigation strategies for CVE-2025-21730 focus on ensuring proper management of the wireless interface lifecycle within the rtw89 driver. The most effective solution involves applying the kernel patch that adds a check to prevent double addition of the management entry list, thereby maintaining list integrity during WoWLAN failure scenarios. System administrators should ensure that their kernel versions include this fix, particularly in environments where wireless power management is actively used. Additionally, monitoring for kernel log messages indicating WoWLAN failures can help identify vulnerable systems before crashes occur. The patch addresses the root cause by ensuring that management entries are properly cleaned up before reinitialization, preventing the list corruption that leads to kernel panics. For systems unable to immediately update the kernel, disabling WoWLAN functionality can serve as a temporary workaround, though this reduces the device's power efficiency and wireless connectivity options during system suspend states.