CVE-2025-38601 in Linuxinfo

Summary

by MITRE • 08/19/2025

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: clear initialized flag for deinit-ed srng lists

In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances:

1) First ath11k_hal_dump_srng_stats() call

Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 22511ms before ath11k_pci 0000:01:00.0: group_id 1 14440788ms before [..]
ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. ath11k_pci 0000:01:00.0: Service connect timeout ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 ath11k_pci 0000:01:00.0: failed to start core: -110 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: already resetting count 2 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery [..]

2) At this point reconfiguration fails (we have 2 resets) and ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() which destroys srng lists. However, it does not reset per-list ->initialized flag.

3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized flag and attempts to dump srng stats:

Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 66785ms before ath11k_pci 0000:01:00.0: group_id 1 14485062ms before ath11k_pci 0000:01:00.0: group_id 2 14485062ms before ath11k_pci 0000:01:00.0: group_id 3 14485062ms before ath11k_pci 0000:01:00.0: group_id 4 14780845ms before ath11k_pci 0000:01:00.0: group_id 5 14780845ms before ath11k_pci 0000:01:00.0: group_id 6 14485062ms before ath11k_pci 0000:01:00.0: group_id 7 66814ms before ath11k_pci 0000:01:00.0: group_id 8 68997ms before ath11k_pci 0000:01:00.0: group_id 9 67588ms before ath11k_pci 0000:01:00.0: group_id 10 69511ms before BUG: unable to handle page fault for address: ffffa007404eb010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
Call Trace: <TASK> ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
worker_thread+0x389/0x930 kthread+0x149/0x170

Clear per-list ->initialized flag in ath11k_hal_srng_deinit().

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/08/2026

The vulnerability described in CVE-2025-38601 affects the Linux kernel's ath11k wireless driver, specifically within the subsystem responsible for managing shared receive node groups (srng) in Qualcomm's wireless networking hardware. This issue manifests as kernel panics during system resume operations, resulting in page faults that crash the entire kernel. The root cause lies in improper state management during driver reset sequences, where the initialized flag for srng lists is not properly cleared during deinitialization, leading to inconsistent behavior during subsequent operations.

The vulnerability occurs in a specific sequence involving firmware crashes and driver recovery mechanisms. When the wireless subsystem encounters a firmware crash, it attempts to recover by calling ath11k_core_reconfigure_on_crash(), which in turn invokes ath11k_hal_srng_deinit() to destroy the srng lists. However, this deinitialization function fails to reset the per-list initialized flag, leaving stale state information in memory. Subsequent calls to ath11k_hal_dump_srng_stats() encounter this corrupted state and attempt to access memory locations that are no longer valid, causing page faults and ultimately kernel panics.

This flaw represents a classic case of improper resource cleanup and state management, which aligns with CWE-665 Improper Initialization and CWE-825 Expired Pointer Dereference patterns. The vulnerability directly impacts system stability and availability, as users may experience unexpected system crashes during resume operations or when the driver attempts to recover from firmware failures. The kernel panic occurs at the supervisor level during a page fault, indicating that the driver is attempting to access memory that has been freed or is otherwise inaccessible, which constitutes a critical security and reliability issue.

The operational impact extends beyond simple system instability, as it affects the reliability of wireless connectivity in devices using Qualcomm's ath11k hardware. Systems that frequently experience firmware crashes or undergo power management transitions may be particularly susceptible to this vulnerability. The issue is particularly concerning in embedded systems or mobile devices where wireless connectivity is critical, as the kernel panic prevents normal system recovery and may require manual intervention or complete system reboot.

Mitigation strategies should focus on ensuring proper state management during driver reset operations. The fix involves modifying the ath11k_hal_srng_deinit() function to explicitly clear the initialized flag for each srng list during deinitialization, preventing stale state information from persisting. This remediation addresses the fundamental issue of incomplete cleanup and ensures that subsequent calls to dump srng statistics will not encounter invalid memory references. Organizations should prioritize applying this kernel patch to systems running affected versions, particularly those in production environments where wireless reliability is critical. The fix aligns with ATT&CK technique T1547.001 Account Manipulation and T1489 System Shutdown/Reboot, as it addresses a condition that can lead to system instability and requires proper resource management to prevent unintended behavior during system recovery operations.

Responsible

Linux

Reservation

04/16/2025

Disclosure

08/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00148

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!