Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / rejected / 2025 / CVE-2025-37795.json
blob: 5dd10bbfedd0551de8bb9c05b2f66921b7aa1e3e [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()\n\nThe ieee80211 skb control block key (set when skb was queued) could have\nbeen removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()\nalready called ieee80211_tx_h_select_key() to get the current key, but\nthe latter do not update the key in skb control block in case it is\nNULL. Because some drivers actually use this key in their TX callbacks\n(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free\nbelow:\n\n BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c\n Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440\n\n CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2\n Hardware name: HW (DT)\n Workqueue: bat_events batadv_send_outstanding_bcast_packet\n Call trace:\n show_stack+0x14/0x1c (C)\n dump_stack_lvl+0x58/0x74\n print_report+0x164/0x4c0\n kasan_report+0xac/0xe8\n __asan_report_load4_noabort+0x1c/0x24\n ath11k_mac_op_tx+0x590/0x61c\n ieee80211_handle_wake_tx_queue+0x12c/0x1c8\n ieee80211_queue_skb+0xdcc/0x1b4c\n ieee80211_tx+0x1ec/0x2bc\n ieee80211_xmit+0x224/0x324\n __ieee80211_subif_start_xmit+0x85c/0xcf8\n ieee80211_subif_start_xmit+0xc0/0xec4\n dev_hard_start_xmit+0xf4/0x28c\n __dev_queue_xmit+0x6ac/0x318c\n batadv_send_skb_packet+0x38c/0x4b0\n batadv_send_outstanding_bcast_packet+0x110/0x328\n process_one_work+0x578/0xc10\n worker_thread+0x4bc/0xc7c\n kthread+0x2f8/0x380\n ret_from_fork+0x10/0x20\n\n Allocated by task 1906:\n kasan_save_stack+0x28/0x4c\n kasan_save_track+0x1c/0x40\n kasan_save_alloc_info+0x3c/0x4c\n __kasan_kmalloc+0xac/0xb0\n __kmalloc_noprof+0x1b4/0x380\n ieee80211_key_alloc+0x3c/0xb64\n ieee80211_add_key+0x1b4/0x71c\n nl80211_new_key+0x2b4/0x5d8\n genl_family_rcv_msg_doit+0x198/0x240\n <...>\n\n Freed by task 1494:\n kasan_save_stack+0x28/0x4c\n kasan_save_track+0x1c/0x40\n kasan_save_free_info+0x48/0x94\n __kasan_slab_free+0x48/0x60\n kfree+0xc8/0x31c\n kfree_sensitive+0x70/0x80\n ieee80211_key_free_common+0x10c/0x174\n ieee80211_free_keys+0x188/0x46c\n ieee80211_stop_mesh+0x70/0x2cc\n ieee80211_leave_mesh+0x1c/0x60\n cfg80211_leave_mesh+0xe0/0x280\n cfg80211_leave+0x1e0/0x244\n <...>\n\nReset SKB control block key before calling ieee80211_tx_h_select_key()\nto avoid that."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/mac80211/tx.c"
],
"versions": [
{
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"lessThan": "bb5c4347d50410e3b262c1dd4081e36aa06826f8",
"status": "affected",
"versionType": "git"
},
{
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"lessThan": "47fe322fb4e000f3bb89c2b370a15f3dfdfb9109",
"status": "affected",
"versionType": "git"
},
{
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"lessThan": "9d00c0a807a3bb7d8fadcd6c26f95f207ab0ce15",
"status": "affected",
"versionType": "git"
},
{
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"lessThan": "a167a2833d3f862e800cc23067b21ff1df3a1085",
"status": "affected",
"versionType": "git"
},
{
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"lessThan": "7fa75affe2a97abface2b0d9b95e15728967dda7",
"status": "affected",
"versionType": "git"
},
{
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"lessThan": "159499c1341f66a71d985e9b79f2131e88d1c646",
"status": "affected",
"versionType": "git"
},
{
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"lessThan": "0cbd747f343c28d911443dd4174820600cc0d952",
"status": "affected",
"versionType": "git"
},
{
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"lessThan": "a104042e2bf6528199adb6ca901efe7b60c2c27f",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/mac80211/tx.c"
],
"versions": [
{
"version": "4.9",
"status": "affected"
},
{
"version": "0",
"lessThan": "4.9",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.293",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.237",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.181",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.1.135",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.6.88",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.12.25",
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.14.4",
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "6.15-rc3",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "5.4.293"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "5.10.237"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "5.15.181"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.1.135"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.6.88"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.12.25"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.14.4"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9",
"versionEndExcluding": "6.15-rc3"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/bb5c4347d50410e3b262c1dd4081e36aa06826f8"
},
{
"url": "https://git.kernel.org/stable/c/47fe322fb4e000f3bb89c2b370a15f3dfdfb9109"
},
{
"url": "https://git.kernel.org/stable/c/9d00c0a807a3bb7d8fadcd6c26f95f207ab0ce15"
},
{
"url": "https://git.kernel.org/stable/c/a167a2833d3f862e800cc23067b21ff1df3a1085"
},
{
"url": "https://git.kernel.org/stable/c/7fa75affe2a97abface2b0d9b95e15728967dda7"
},
{
"url": "https://git.kernel.org/stable/c/159499c1341f66a71d985e9b79f2131e88d1c646"
},
{
"url": "https://git.kernel.org/stable/c/0cbd747f343c28d911443dd4174820600cc0d952"
},
{
"url": "https://git.kernel.org/stable/c/a104042e2bf6528199adb6ca901efe7b60c2c27f"
}
],
"title": "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2025-37795",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}