CVE-2025-21750 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Check the return value of of_property_read_string_index()
Somewhen between 6.10 and 6.11 the driver started to crash on my MacBookPro14,3. The property doesn't exist and 'tmp' remains uninitialized, so we pass a random pointer to devm_kstrdup().
The crash I am getting looks like this:
BUG: unable to handle page fault for address: 00007f033c669379 PF: supervisor read access in kernel mode PF: error_code(0x0001) - permissions violation PGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025 Oops: Oops: 0001 [#1] SMP PTI
CPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1 Hardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024 RIP: 0010:strlen+0x4/0x30 Code: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc RSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202 RAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001 RDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379 RBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a R10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8 R13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30 FS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x149/0x4c0 ? raw_spin_rq_lock_nested+0xe/0x20 ? sched_balance_newidle+0x22b/0x3c0 ? update_load_avg+0x78/0x770 ? exc_page_fault+0x6f/0x150 ? asm_exc_page_fault+0x26/0x30 ? __pfx_pci_conf1_write+0x10/0x10 ? strlen+0x4/0x30 devm_kstrdup+0x25/0x70 brcmf_of_probe+0x273/0x350 [brcmfmac]
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability described in CVE-2025-21750 resides within the brcmfmac driver of the Linux kernel, specifically affecting the handling of device tree properties during WiFi initialization on certain Apple MacBook models. This issue manifests as a kernel panic or page fault when the driver attempts to process a device tree property that does not exist. The root cause stems from a failure to properly validate the return value of the `of_property_read_string_index()` function, which is responsible for reading string properties from the device tree. When this function fails to find the expected property, it returns a negative error code, but the driver code does not check this return value before proceeding to pass an uninitialized variable to `devm_kstrdup()`. This leads to a dereference of a random pointer, resulting in a kernel page fault when the kernel attempts to access memory at an invalid address.
The technical flaw aligns with CWE-457, which describes the use of uninitialized variables, and represents a classic case of improper error handling in kernel space. The vulnerability specifically impacts the brcmfmac driver, which manages Broadcom WiFi chipsets on Linux systems, and occurs during the probe phase of device initialization. The crash signature shows a supervisor read access violation at address 0x00007f033c669379, which is clearly outside the normal kernel memory space, indicating that the invalid pointer dereference leads to an attempt to execute the `strlen()` function on garbage data. This behavior is consistent with a null pointer dereference or more accurately an uninitialized pointer dereference that has been corrupted by the kernel's memory management.
The operational impact of this vulnerability is significant as it can cause complete system crashes or kernel oops on affected MacBook models, particularly those with the specific hardware configuration that triggers this code path. The issue occurs during the udev worker process, indicating that it affects the device initialization sequence and can prevent WiFi functionality from operating properly. Systems running kernel versions between 6.10 and 6.11 are specifically vulnerable, suggesting this is a regression introduced in the kernel update cycle. The vulnerability affects only systems with the particular device tree configuration where the expected property is missing, but given the widespread use of these MacBook models, it represents a substantial risk to end-user systems. This type of vulnerability can be leveraged by attackers to cause denial of service conditions or potentially escalate privileges if the kernel memory corruption can be controlled or manipulated.
Mitigation strategies for this vulnerability include applying the kernel patch that properly checks the return value of `of_property_read_string_index()` before proceeding with device tree property handling. The fix should ensure that when the property cannot be read, the driver handles this gracefully rather than proceeding with uninitialized data. System administrators should prioritize updating to a patched kernel version, particularly for systems running kernel 6.11 or later where this regression was introduced. Additionally, monitoring for kernel oops messages and system crashes related to device tree property handling can help identify affected systems. The ATT&CK framework categorizes this as a kernel-level privilege escalation or denial of service vector, as it can cause system instability and prevent normal operation of the WiFi subsystem. Organizations should also consider implementing automated patch management policies to ensure timely deployment of kernel security updates and maintain inventory of affected hardware configurations to track vulnerability exposure.