CVE-2025-38294 in Linux
Summary
by MITRE • 07/10/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix NULL access in assign channel context handler
Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid radio handle access by moving to the hardware debug logging helper function (ath12k_hw_warn).
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/07/2025
The vulnerability CVE-2025-38294 represents a critical null pointer dereference issue within the ath12k wireless driver component of the Linux kernel. This flaw exists in the wifi subsystem where the ath12k_mac_assign_vif_to_vdev() function fails to properly handle error conditions, leading to attempted access of a null radio handle during debug logging operations. The vulnerability stems from improper error handling mechanisms that fail to account for scenarios where the radio handle becomes null during the assignment process, creating a potential system crash or denial of service condition.
The technical implementation of this flaw occurs within the wireless driver's channel context assignment handler where the system attempts to access the radio handle (ar) from the link VIF handle (arvif) for debug logging purposes. When the ath12k_mac_assign_vif_to_vdev() function encounters a failure condition, the radio handle pointer becomes null, yet the code continues to reference this null pointer in debug logging operations. This pattern violates standard defensive programming practices and creates an exploitable condition that can lead to kernel panics or system instability. The issue specifically affects the ath12k wireless driver which manages Qualcomm's Wi-Fi 6E and Wi-Fi 7 hardware platforms including the QCN9274 and WCN7850 chipsets.
From an operational impact perspective, this vulnerability presents significant security and reliability concerns for systems utilizing affected Qualcomm Wi-Fi hardware. The null pointer dereference can result in complete system crashes, particularly in embedded devices, IoT appliances, or mobile platforms where wireless connectivity is critical. Attackers could potentially exploit this condition to cause denial of service attacks against wireless connectivity, making devices temporarily unusable. The vulnerability affects systems running Linux kernels with the ath12k driver and impacts all hardware platforms supported by this driver, including enterprise and consumer devices that rely on Qualcomm's wireless chipsets for network connectivity. This issue aligns with CWE-476 which identifies null pointer dereference as a common vulnerability pattern that can lead to system instability and potential privilege escalation.
The fix implemented addresses this vulnerability by modifying the debug logging approach to avoid accessing the null radio handle directly. Instead of accessing the null pointer for debug information, the solution employs the hardware debug logging helper function ath12k_hw_warn() which provides appropriate error handling and logging capabilities without requiring access to potentially null handles. This approach follows established security practices for kernel development and aligns with ATT&CK technique T1499.004 which covers system network denial of service. The mitigation strategy ensures that error conditions are properly handled without exposing system stability to null pointer dereference scenarios. The fix has been tested on specific hardware platforms including QCN9274 hw2.0 PCI and WCN7850 hw2.0 PCI configurations, confirming that the corrected implementation resolves the null access issue while maintaining proper debug logging functionality. This remediation approach demonstrates proper kernel security engineering practices and follows the principle of least privilege in error handling operations.