CVE-2025-38292 in Linux
Summary
by MITRE • 07/10/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix invalid access to memory
In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error.
Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used.
Compile tested only.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/07/2025
The vulnerability identified as CVE-2025-38292 represents a critical use-after-free condition within the Linux kernel's wireless networking subsystem, specifically affecting the ath12k driver implementation. This flaw exists in the ath12k_dp_rx_msdu_coalesce() function which handles the reception and processing of wireless frames. The issue stems from improper memory management practices where the driver attempts to access memory that has already been freed, creating a potential security risk that could be exploited by malicious actors to gain unauthorized system access or cause system instability.
The technical root cause of this vulnerability lies in the improper handling of memory references within the wireless driver's receive path processing. When the ath12k driver processes incoming wireless frames, it retrieves a receive control block (rcb) from the socket buffer (skb) structure and accesses the is_continuation boolean flag that is part of this control block. The flaw occurs because the driver first frees the skb memory region and then attempts to access the is_continuation flag from the now-freed memory location. This violates fundamental memory safety principles and creates a classic use-after-free scenario where the kernel attempts to dereference a pointer to memory that has already been deallocated and potentially repurposed.
This vulnerability falls under the CWE-416 category of Use After Free, which is classified as a critical security weakness in software development. The operational impact of this flaw extends beyond simple system instability to potentially enable privilege escalation attacks, as demonstrated by the ATT&CK framework's T1068 technique for privilege escalation through memory corruption. The vulnerability specifically affects systems running Linux kernels with the ath12k wireless driver, which is commonly used in various wireless networking devices including routers, access points, and embedded systems. Attackers could exploit this condition to execute arbitrary code with kernel privileges, potentially leading to complete system compromise.
The fix implemented addresses this vulnerability by locally defining the boolean is_continuation variable before the skb memory is freed, ensuring that the value is preserved and accessible even after the original memory location becomes invalid. This approach follows secure coding practices that emphasize maintaining copies of critical data before memory deallocation operations. The mitigation strategy aligns with industry best practices for preventing use-after-free vulnerabilities and represents a defensive programming technique that prevents the kernel from accessing freed memory regions. This particular fix is compile-time tested but requires comprehensive runtime validation to ensure that the memory management changes do not introduce additional performance impacts or regressions in the wireless driver's functionality. The resolution demonstrates proper memory management principles and reinforces the importance of careful resource handling in kernel-space drivers where memory safety directly impacts system security and stability.