CVE-2025-38123 in Linuxinfo

Summary

by MITRE • 07/03/2025

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: t7xx: Fix napi rx poll issue

When driver handles the napi rx polling requests, the netdev might have been released by the dellink logic triggered by the disconnect operation on user plane. However, in the logic of processing skb in polling, an invalid netdev is still being used, which causes a panic.

BUG: kernel NULL pointer dereference, address: 00000000000000f1 Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:dev_gro_receive+0x3a/0x620 [...]
Call Trace: <IRQ> ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)]
? dev_gro_receive+0x3a/0x620 napi_gro_receive+0xad/0x170 t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)]
t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)]
net_rx_action+0x103/0x470 irq_exit_rcu+0x13a/0x310 sysvec_apic_timer_interrupt+0x56/0x90 </IRQ>

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/18/2026

This vulnerability exists within the Linux kernel's WWAN subsystem, specifically affecting the MediaTek t7xx driver implementation. The issue manifests as a race condition between the network device cleanup process and the NAPI (Network API) receive polling mechanism. When a disconnect operation occurs on the user plane, the dellink logic triggers the release of the network device structure while the NAPI polling thread continues to process incoming skbuff (socket buffer) packets. This fundamental timing issue creates a scenario where the polling logic attempts to access a netdev structure that has already been freed, leading to a kernel NULL pointer dereference.

The technical flaw stems from improper synchronization between the device release operations and the active polling threads. According to CWE-362, this represents a race condition vulnerability where concurrent operations on shared resources lead to unpredictable behavior. The kernel panic occurs at the dev_gro_receive function which is part of the generic receive offload processing, indicating that the system attempts to process packets through a NULL netdev pointer. The stack trace shows the call sequence leading to the failure point through t7xx_ccmni_recv_skb, t7xx_dpmaif_napi_rx_poll, and ultimately net_rx_action, demonstrating how the issue propagates through the networking subsystem.

The operational impact of this vulnerability is severe as it can cause complete system crashes and potential denial of service conditions for mobile broadband connectivity. Systems utilizing MediaTek t7xx WWAN modems, particularly those running Linux kernel versions containing this bug, become susceptible to kernel panics during network disconnect operations or high traffic scenarios. This vulnerability affects embedded systems, mobile devices, and IoT platforms that rely on MediaTek's WWAN solutions for cellular connectivity. The panic occurs with a specific memory address 00000000000000f1, indicating the NULL pointer dereference pattern typical of this class of kernel vulnerabilities.

Mitigation strategies should focus on implementing proper locking mechanisms and reference counting between the NAPI polling context and the device release operations. The fix requires ensuring that the NAPI polling thread properly checks for device validity before accessing netdev structures, potentially through the use of rcu_read_lock or similar synchronization primitives. According to ATT&CK framework, this vulnerability could be exploited by adversaries to perform kernel-level privilege escalation or denial of service attacks against target systems. System administrators should prioritize applying kernel patches that address this specific race condition, particularly in production environments where WWAN connectivity is critical. Additionally, monitoring for kernel oops messages and system panics related to NAPI polling and device cleanup operations can help detect exploitation attempts or identify systems still vulnerable to this issue.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/03/2025

Moderation

accepted

CPE

ready

EPSS

0.00155

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!