CVE-2025-37794 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Purge vif txq in ieee80211_do_stop()

After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state.

Because vif.drv_priv is now cleared in this function, this could lead to driver crash.

For example in ath12k, ahvif is store in vif.drv_priv. Thus if ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to trigger the NULL deref below.

Unable to handle kernel paging request at virtual address dfffffc000000001 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
batman_adv: bat0: Interface deactivated: brbh1337 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfffffc000000001] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] SMP
CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114 Hardware name: HW (DT) pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]
lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]
sp : ffffffc086ace450 x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4 x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0 x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958 x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8 x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03 x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40 x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0 x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008 Call trace: ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)
ieee80211_handle_wake_tx_queue+0x16c/0x260 ieee80211_queue_skb+0xeec/0x1d20 ieee80211_tx+0x200/0x2c8 ieee80211_xmit+0x22c/0x338 __ieee80211_subif_start_xmit+0x7e8/0xc60 ieee80211_subif_start_xmit+0xc4/0xee0 __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0 ieee80211_subif_start_xmit_8023+0x124/0x488 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 br_dev_queue_push_xmit+0x120/0x4a8 __br_forward+0xe4/0x2b0 deliver_clone+0x5c/0xd0 br_flood+0x398/0x580 br_dev_xmit+0x454/0x9f8 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 ip6_finish_output2+0xc28/0x1b60 __ip6_finish_output+0x38c/0x638 ip6_output+0x1b4/0x338 ip6_local_out+0x7c/0xa8 ip6_send_skb+0x7c/0x1b0 ip6_push_pending_frames+0x94/0xd0 rawv6_sendmsg+0x1a98/0x2898 inet_sendmsg+0x94/0xe0 __sys_sendto+0x1e4/0x308 __arm64_sys_sendto+0xc4/0x140 do_el0_svc+0x110/0x280 el0_svc+0x20/0x60 el0t_64_sync_handler+0x104/0x138 el0t_64_sync+0x154/0x158

To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could be dequeued after ieee80211_do_stop() (new packets cannot be queued because SDATA_STATE_RUNNING is cleared at this point).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/16/2026

The vulnerability CVE-2025-37794 resides within the Linux kernel's mac80211 subsystem, specifically in the ieee80211_do_stop() function that manages wireless interface shutdown operations. This flaw represents a race condition and memory management issue that can lead to kernel crashes and system instability. The core problem occurs when packets remain in the virtual interface transmit queue (txq) after the interface has been stopped, creating a scenario where packets can still be processed despite the interface being in a shutdown state. This behavior violates the expected interface lifecycle management and creates a path for null pointer dereferences.

The technical flaw manifests through a critical timing issue where the ieee80211_do_stop() function clears the vif.drv_priv pointer to free driver-specific resources, but does not purge the transmit queue before this cleanup. Concurrent operations such as schedule_and_wake_txq calls can still dequeue packets from the now-inactive queue, leading to execution paths that attempt to access freed or invalid driver context data. In the specific case of the ath12k driver, the ahvif structure is stored in vif.drv_priv, and when ath12k_mac_op_tx() is invoked after ieee80211_do_stop(), it attempts to access ahvif->ah which has already been cleared, resulting in a NULL pointer dereference.

This vulnerability directly maps to CWE-476, Null Pointer Dereference, and aligns with ATT&CK technique T1059.006 for kernel-level code execution and T1562.001 for privilege escalation through kernel exploitation. The impact extends beyond simple crashes to potential system instability and denial of service conditions, particularly in wireless networking environments where continuous packet processing is expected. The memory corruption described in the stack trace shows a kernel paging request failure at virtual address 0xdf1000000001, indicating a classic null pointer dereference scenario where the kernel attempts to access memory at an invalid address range between user and kernel space boundaries.

The fix implemented addresses this by ensuring that the virtual interface transmit queue is emptied within ieee80211_do_stop() before clearing the driver private data. This prevents any subsequent concurrent operations from dequeuing packets and accessing freed memory structures. The solution follows the principle of proper resource cleanup and queue management in kernel subsystems, ensuring that all pending operations are completed or discarded before interface resources are released. This mitigation approach prevents the race condition between interface shutdown and concurrent packet processing, making the system more robust against timing-based exploitation and ensuring proper state management throughout the wireless interface lifecycle. The fix ensures that no packets can be dequeued after ieee80211_do_stop() completes, as new packets cannot be queued since the SDATA_STATE_RUNNING flag is cleared, thereby maintaining the integrity of the wireless subsystem's resource management.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00164

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!