CVE-2025-37795 in Linux
요약
\~에 의해 VulDB • 2026. 05. 21.
리눅스 커널에서 다음 취약점이 해결되었습니다:
wifi: mac80211: ieee80211_tx_dequeue()에서 skb의 제어 블록 키 업데이트
skb가 큐에 삽입될 때 설정된 ieee80211 skb 제어 블록 키가 ieee80211_tx_dequeue() 호출 전에 제거되었을 수 있습니다. ieee80211_tx_dequeue()는 이미 현재 키를 가져오기 위해 ieee80211_tx_h_select_key()를 호출했지만, 후자는 키가 NULL인 경우 skb 제어 블록의 키를 업데이트하지 않습니다. 일부 드라이버는 실제로 TX 콜백(예: ath1{1,2}k_mac_op_tx())에서 이 키를 사용하므로, 이로 인해 아래에서 Use-After-Free가 발생할 수 있습니다:
BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440
CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2 Hardware name: HW (DT) Workqueue: bat_events batadv_send_outstanding_bcast_packet Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x58/0x74 print_report+0x164/0x4c0 kasan_report+0xac/0xe8 __asan_report_load4_noabort+0x1c/0x24 ath11k_mac_op_tx+0x590/0x61c ieee80211_handle_wake_tx_queue+0x12c/0x1c8 ieee80211_queue_skb+0xdcc/0x1b4c ieee80211_tx+0x1ec/0x2bc ieee80211_xmit+0x224/0x324 __ieee80211_subif_start_xmit+0x85c/0xcf8 ieee80211_subif_start_xmit+0xc0/0xec4 dev_hard_start_xmit+0xf4/0x28c __dev_queue_xmit+0x6ac/0x318c batadv_send_skb_packet+0x380/0x43c batadv_send_outstanding_bcast_packet+0x130/0x234 process_one_work+0x330/0x634 worker_thread+0x320/0x3e4 kthread+0x104/0x11c ret_from_fork+0x10/0x20
Allocated by task 1494: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_alloc_info+0x3c/0x4c __kasan_kmalloc+0xac/0xb0 __kmalloc_noprof+0x1b4/0x380 ieee80211_key_alloc+0x3c/0xb64 ieee80211_add_key+0x1b4/0x71c nl80211_new_key+0x2b4/0x5d8 genl_family_rcv_msg_doit+0x198/0x240
Freed by task 1494: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_free_info+0x48/0x94 __kasan_slab_free+0x48/0x60 kfree+0xc8/0x31c kfree_sensitive+0x70/0x80 ieee80211_key_free_common+0x10c/0x174 ieee80211_free_keys+0x188/0x46c ieee80211_stop_mesh+0x70/0x2cc ieee80211_leave_mesh+0x1c/0x60 cfg80211_leave_mesh+0xe0/0x280 cfg80211_leave+0x1e0/0x244
If you want to get best quality of vulnerability data, you may have to visit VulDB.