CVE-2025-38293 in Linuxinfo

Summary

by MITRE • 07/10/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: fix node corruption in ar->arvifs list

In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node.

When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath11k_mac_op_remove_interface(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic.

The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath11k_mac_op_remove_interface() can execute normally.

Call trace: __list_del_entry_valid_or_report+0xb8/0xd0 ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
drv_remove_interface+0x48/0x194 [mac80211]
ieee80211_do_stop+0x6e0/0x844 [mac80211]
ieee80211_stop+0x44/0x17c [mac80211]
__dev_close_many+0xac/0x150 __dev_change_flags+0x194/0x234 dev_change_flags+0x24/0x6c devinet_ioctl+0x3a0/0x670 inet_ioctl+0x200/0x248 sock_do_ioctl+0x60/0x118 sock_ioctl+0x274/0x35c __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x114 ...

Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 12/19/2025

The vulnerability identified as CVE-2025-38293 resides within the linux kernel's wireless subsystem, specifically affecting the ath11k driver used for Qualcomm Atheros 802.11ac wireless networking devices. This issue manifests during WLAN recovery operations when the driver's core halt function fails to properly manage the virtual interface (vif) list structure. The flaw stems from incomplete list node reinitialization during the ath11k_core_halt() process, which leaves the list in an inconsistent state that violates fundamental data structure integrity principles.

The technical root cause involves improper list management where only the list head "arvifs" gets reinitialized while the subsequent list nodes retain invalid pointers. This creates a scenario where the previous pointer of a node still references the list head, but the next pointer of the list head no longer points to that node, resulting in a corrupted doubly-linked list structure. This condition violates the expected list invariant that maintains bidirectional pointer consistency throughout the list structure. The vulnerability specifically impacts the ath11k_mac_op_remove_interface() function which attempts to remove nodes using list_del() operations, triggering kernel panic when it detects the invalid list state.

The operational impact of this vulnerability extends beyond simple system instability to potential denial of service conditions that could affect wireless connectivity for devices using Qualcomm Atheros hardware. The vulnerability is particularly dangerous because it can occur during active vif removal operations, creating a race condition between the WLAN recovery process and interface cleanup operations. This type of kernel-level memory corruption directly impacts system reliability and can lead to complete system crashes. The vulnerability has been classified under CWE-123 as "Uncontrolled List Element Removal" and aligns with ATT&CK technique T1490 for "Inhibit System Recovery" through kernel-level corruption.

The fix implemented addresses this by ensuring complete list node cleanup and reinitialization during WLAN halt operations, rather than merely resetting the list head. This approach properly invalidates all list nodes and ensures that subsequent list operations maintain structural integrity. The solution follows best practices for kernel memory management and list handling as recommended by the Linux kernel development community. Testing has confirmed the fix works correctly on the QCA6698AQ hardware platform, validating that the list corruption scenario no longer occurs during normal WLAN recovery operations. The resolution maintains backward compatibility while preventing the kernel panic condition that would otherwise occur during concurrent vif removal and WLAN recovery scenarios.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/10/2025

Moderation

accepted

CPE

ready

EPSS

0.00176

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!