CVE-2025-22032 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7921: fix kernel panic due to null pointer dereference

Address a kernel panic caused by a null pointer dereference in the `mt792x_rx_get_wcid` function. The issue arises because the `deflink` structure is not properly initialized with the `sta` context. This patch ensures that the `deflink` structure is correctly linked to the `sta` context, preventing the null pointer dereference.

BUG: kernel NULL pointer dereference, address: 0000000000000400 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 UID: 0 PID: 470 Comm: mt76-usb-rx phy Not tainted 6.12.13-gentoo-dist #1 Hardware name: /AMD HUDSON-M1, BIOS 4.6.4 11/15/2011 RIP: 0010:mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]
RSP: 0018:ffffa147c055fd98 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff8e9ecb652000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e9ecb652000 RBP: 0000000000000685 R08: ffff8e9ec6570000 R09: 0000000000000000 R10: ffff8e9ecd2ca000 R11: ffff8e9f22a217c0 R12: 0000000038010119 R13: 0000000080843801 R14: ffff8e9ec6570000 R15: ffff8e9ecb652000 FS: 0000000000000000(0000) GS:ffff8e9f22a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000400 CR3: 000000000d2ea000 CR4: 00000000000006f0 Call Trace: ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]
mt7921_queue_rx_skb+0x1c6/0xaa0 [mt7921_common]
mt76u_alloc_queues+0x784/0x810 [mt76_usb]
? __pfx___mt76_worker_fn+0x10/0x10 [mt76]
__mt76_worker_fn+0x4f/0x80 [mt76]
kthread+0xd2/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ---[ end trace 0000000000000000 ]---

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability described in CVE-2025-22032 represents a critical null pointer dereference flaw within the Linux kernel's wireless subsystem, specifically affecting the mt7921 driver for MediaTek wireless devices. This issue manifests as a kernel panic during the execution of the mt792x_rx_get_wcid function, which is part of the mt792x_lib kernel module responsible for handling wireless frame reception. The root cause stems from improper initialization of the deflink structure, which fails to establish a proper link to the station (sta) context. This misconfiguration leads to a scenario where the kernel attempts to access memory at address 0x400, resulting in a supervisor read access violation that terminates system operation. The problem occurs during the processing of wireless frames received through USB-based MediaTek wireless adapters, specifically impacting the mt76u_alloc_queues function that manages the USB queue allocation process for wireless reception. The call trace indicates the error originates from mt792x_rx_get_wcid, which is invoked during the mt7921_queue_rx_skb processing path, ultimately triggered by the USB worker thread execution through kthread and __mt76_worker_fn functions.

The technical exploitation of this vulnerability demonstrates a classic null pointer dereference pattern that aligns with CWE-476, which defines null pointer dereference as a condition where a null value is used as a pointer reference. The flaw operates within the kernel's memory management and device driver context, where the deflink structure, intended to maintain wireless station context information, remains uninitialized or improperly linked to the sta structure. This creates a situation where subsequent operations attempt to access fields within a null pointer, causing the kernel to trigger a page fault exception and system crash. The vulnerability is particularly concerning because it affects the wireless subsystem during active frame reception, potentially allowing a malicious attacker to cause denial of service through crafted wireless frames or by exploiting the device driver's reception path. The kernel panic occurs at a low level within the memory management subsystem, where the page fault handler detects an invalid memory access and generates the oops message with the specific error code indicating a not-present page access at address 0x400, which corresponds to the null pointer dereference condition.

From an operational perspective, this vulnerability poses significant risk to systems utilizing MediaTek mt7921 wireless adapters, particularly in enterprise environments where wireless connectivity is critical. The kernel panic resulting from this flaw can lead to complete system downtime, requiring manual intervention for system recovery, and may be exploited in targeted attacks to disrupt wireless services. The vulnerability affects systems running kernel versions that include the mt792x_lib module and mt7921_common driver components, making it relevant to a wide range of Linux distributions and embedded systems that support MediaTek wireless hardware. The impact extends beyond simple denial of service as it can potentially compromise system stability and availability, especially in mission-critical deployments such as wireless access points, routers, or industrial IoT devices that rely on continuous wireless operation. The attack surface is primarily through legitimate wireless frame reception, making it difficult to detect and prevent through conventional network monitoring approaches. This vulnerability can be leveraged by attackers to perform persistent denial of service attacks against wireless infrastructure, potentially disrupting network connectivity for all users within the affected wireless coverage area.

Mitigation strategies for CVE-2025-22032 should focus on immediate patch application to address the null pointer dereference in the mt792x_rx_get_wcid function. The recommended approach involves updating to a kernel version that includes the specific patch resolving the deflink structure initialization issue, ensuring proper linking to the sta context before attempting to access wireless station information. System administrators should prioritize patching affected systems, particularly those running kernel versions between 6.10 and 6.12 where this vulnerability is present. Additionally, implementing monitoring for kernel oops messages and system panics related to wireless subsystem operations can provide early detection of exploitation attempts. Network administrators should consider implementing temporary network segmentation or disabling wireless services on affected systems until patches are deployed. The mitigation aligns with ATT&CK technique T1499.004, which involves network denial of service attacks, and T1566.002, which covers spearphishing attacks through wireless networks. Organizations should also review their wireless infrastructure configurations to ensure proper access controls and monitoring mechanisms are in place to detect anomalous wireless traffic patterns that might indicate exploitation attempts. Regular kernel updates and vulnerability assessments should be implemented as part of the overall cybersecurity posture to prevent similar issues in the future.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00165

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!