CVE-2025-38600 in Linuxinfo

Summary

by MITRE • 08/19/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7925: fix off by one in mt7925_mcu_hw_scan()

The ssid->ssids[] and sreq->ssids[] arrays have MT7925_RNR_SCAN_MAX_BSSIDS
elements so this >= needs to be > to prevent an out of bounds access.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/16/2025

The vulnerability CVE-2025-38600 represents a critical buffer overflow condition within the linux kernel's wireless subsystem, specifically affecting the mt7925 wireless driver implementation. This flaw exists in the mt76 wireless driver framework which manages various MediaTek wireless chipsets including the mt7925 model. The issue stems from improper bounds checking during hardware scan operations, creating a potential pathway for arbitrary code execution or system instability. The vulnerability manifests when processing scan request parameters, particularly in the mcu_hw_scan function that handles wireless network discovery operations.

The technical root cause involves an off-by-one error in the comparison logic within the mt7925_mcu_hw_scan() function. The ssid->ssids[] and sreq->ssids[] arrays are allocated with MT7925_RNR_SCAN_MAX_BSSIDS elements, but the code employs a greater-than-or-equal comparison (>=) instead of a strict greater-than comparison (>). This subtle but critical mistake allows an attacker to write beyond the allocated array boundaries when the loop index reaches the maximum valid array element. The flaw represents a classic buffer overflow vulnerability that can be exploited through crafted wireless scan requests.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling privilege escalation attacks and system compromise. When exploited, the out-of-bounds write could overwrite adjacent memory locations, corrupt kernel data structures, or even allow attackers to inject malicious code into kernel space. This vulnerability affects systems running linux kernel versions that include the mt76 wireless driver with mt7925 chipset support, particularly those implementing wireless scanning functionality. The risk is heightened in environments where wireless network management is automated or where untrusted wireless devices may interact with the system.

Mitigation strategies should focus on immediate kernel updates to address the identified buffer overflow condition. System administrators should prioritize patching affected kernel versions and monitoring wireless network traffic for suspicious scan requests. Additionally, implementing network segmentation and access controls can help limit potential exploitation vectors. The vulnerability aligns with CWE-129, which covers improper validation of array index bounds, and could potentially map to ATT&CK technique T1059.007 for execution through kernel exploits. Organizations should also consider implementing wireless intrusion detection systems to monitor for abnormal scan patterns that might indicate exploitation attempts.

Responsible

Linux

Reservation

04/16/2025

Disclosure

08/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00119

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!