CVE-2025-38291 in Linuxinfo

Summary

by MITRE • 07/10/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash

Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace.

Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery.

Call Trace: <TASK> dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k]
? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k]
_raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k]
ath12k_ce_send+0xa2/0x210 [ath12k]
ath12k_htc_send+0x178/0x390 [ath12k]
ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k]
ath12k_wmi_cmd_send+0x62/0x190 [ath12k]
ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1
ath12k_mac_op_get_survey+0x2be/0x310 [ath12k]
ieee80211_dump_survey+0x99/0x240 [mac80211]
nl80211_dump_survey+0xe7/0x470 [cfg80211]
? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211]
? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 ____sys_sendmsg+0x1e4/0x260 ___sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/07/2025

The vulnerability described in CVE-2025-38291 affects the Linux kernel's ath12k wireless driver, specifically addressing a critical issue during firmware crash recovery scenarios. This flaw represents a race condition and improper state management within the wireless subsystem, where the host driver continues to attempt communication with a firmware that is already in a crash recovery state. The technical root cause lies in the absence of proper flag management when firmware crash notifications are received, leading to continued WMI (Wireless Microcontroller Interface) command transmissions that fail and generate kernel call traces. The vulnerability manifests as a kernel panic or system instability when the driver attempts to send WMI commands to firmware during its recovery phase, creating an inconsistent state between host and firmware components.

The operational impact of this vulnerability extends beyond simple system instability to potentially enable denial of service conditions within wireless networking environments. When a firmware crash occurs, the system enters a recovery state where normal operations should cease until the firmware is fully restored. However, the absence of proper flag setting allows continued command processing, resulting in failed WMI operations that trigger kernel stack traces and potentially system crashes. This behavior directly violates the expected fault recovery mechanisms and can be exploited to disrupt wireless connectivity in devices using the ath12k driver. The vulnerability affects hardware platforms such as the QCN9274 with specific firmware versions, making it particularly relevant for mobile devices, embedded systems, and IoT equipment that rely on Qualcomm's wireless chipsets.

Security implications of this vulnerability align with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-704 (Incorrect Type Conversion or Cast) as the flaw involves improper state management during concurrent access to shared firmware resources. The issue also maps to ATT&CK technique T1489 (Service Stop) through the potential for disruption of wireless services during firmware recovery. Mitigation strategies should focus on implementing proper flag management within the driver's crash handling routine, specifically setting ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags upon receiving firmware crash notifications from MHI (Modem Host Interface). Additionally, system administrators should ensure timely kernel updates that include the patched ath12k driver implementation. The fix prevents WMI command transmission during firmware recovery by leveraging the established flag-based state management system, ensuring that the host driver properly transitions to a safe state until firmware recovery is complete. This approach aligns with secure coding practices for embedded systems and wireless driver development, emphasizing proper resource management and state synchronization during error recovery scenarios.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/10/2025

Moderation

accepted

CPE

ready

EPSS

0.00137

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!