CVE-2025-38116 in Linuxinfo

Summary

by MITRE • 07/03/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix uaf in ath12k_core_init()

When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequent access to this notifier chain.

Fixes the issue by calling ath12k_core_panic_notifier_unregister() in failure cases.

Call trace: notifier_chain_register+0x4c/0x1f0 (P) atomic_notifier_chain_register+0x38/0x68 ath12k_core_init+0x50/0x4e8 [ath12k]
ath12k_pci_probe+0x5f8/0xc28 [ath12k]
pci_device_probe+0xbc/0x1a8 really_probe+0xc8/0x3a0 __driver_probe_device+0x84/0x1b0 driver_probe_device+0x44/0x130 __driver_attach+0xcc/0x208 bus_for_each_dev+0x84/0x100 driver_attach+0x2c/0x40 bus_add_driver+0x130/0x260 driver_register+0x70/0x138 __pci_register_driver+0x68/0x80 ath12k_pci_init+0x30/0x68 [ath12k]
ath12k_init+0x28/0x78 [ath12k]

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/18/2026

The vulnerability CVE-2025-38116 represents a use-after-free condition affecting the ath12k wireless driver in the Linux kernel, specifically within the ath12k_core_init() function. This issue arises from improper cleanup of notifier chain registrations when hardware group assignment or creation operations fail during driver initialization. The flaw demonstrates a classic memory management error where resources are not properly released, creating opportunities for subsequent memory access violations. The vulnerability is particularly concerning as it occurs during driver initialization, potentially affecting system stability and security during critical boot phases.

The technical implementation of this vulnerability stems from the failure to properly unregister notifier chains when ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() functions return error conditions. When these operations fail, the driver fails to call ath12k_core_panic_notifier_unregister() which would normally clean up the registered notifier chain. This leaves the notifier chain in an inconsistent state where its memory is freed during module removal but subsequent access attempts can still reference the freed memory locations. The call trace reveals this issue originates from the core initialization path and propagates through the standard PCI device probe mechanism, indicating the problem affects the fundamental driver registration process.

From an operational perspective, this vulnerability creates a significant risk for systems utilizing the ath12k wireless driver, particularly those running on Qualcomm-based wireless hardware such as the WCN7850. The use-after-free condition can lead to system crashes, kernel panics, or potentially exploitable memory corruption that could be leveraged for privilege escalation attacks. The vulnerability is classified under CWE-416 as a Use After Free condition, which directly maps to the memory safety violation in the driver's resource management. This type of vulnerability is particularly dangerous in embedded systems or network infrastructure devices where wireless connectivity is critical for system operation.

The fix implemented addresses this issue by ensuring that ath12k_core_panic_notifier_unregister() is called in all failure cases within the initialization sequence. This remediation follows established security practices for resource management and proper cleanup in error conditions. The solution aligns with ATT&CK technique T1068 by preventing privilege escalation opportunities through memory corruption vulnerabilities, and with T1547.001 by maintaining proper system integrity during driver initialization. Organizations should prioritize patching this vulnerability, especially in environments where wireless connectivity is essential and system stability is paramount. The fix ensures proper resource cleanup regardless of initialization success or failure states, preventing the memory access violations that could lead to system compromise or denial of service conditions.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/03/2025

Moderation

accepted

CPE

ready

EPSS

0.00156

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!