cve-2025-37795
Vulnerability from cvelistv5
Published
2025-05-01 13:07
Modified
2025-05-04 07:32
Severity ?
EPSS score ?
Summary
wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb5c4347d50410e3b262c1dd4081e36aa06826f8",
"status": "affected",
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"versionType": "git"
},
{
"lessThan": "47fe322fb4e000f3bb89c2b370a15f3dfdfb9109",
"status": "affected",
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"versionType": "git"
},
{
"lessThan": "9d00c0a807a3bb7d8fadcd6c26f95f207ab0ce15",
"status": "affected",
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"versionType": "git"
},
{
"lessThan": "a167a2833d3f862e800cc23067b21ff1df3a1085",
"status": "affected",
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"versionType": "git"
},
{
"lessThan": "7fa75affe2a97abface2b0d9b95e15728967dda7",
"status": "affected",
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"versionType": "git"
},
{
"lessThan": "159499c1341f66a71d985e9b79f2131e88d1c646",
"status": "affected",
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"versionType": "git"
},
{
"lessThan": "0cbd747f343c28d911443dd4174820600cc0d952",
"status": "affected",
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"versionType": "git"
},
{
"lessThan": "a104042e2bf6528199adb6ca901efe7b60c2c27f",
"status": "affected",
"version": "bb42f2d13ffcd0baed7547b37d05add51fcd50e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.135",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.88",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.25",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15-rc3",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: Update skb\u0027s control block key in ieee80211_tx_dequeue()\n\nThe ieee80211 skb control block key (set when skb was queued) could have\nbeen removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()\nalready called ieee80211_tx_h_select_key() to get the current key, but\nthe latter do not update the key in skb control block in case it is\nNULL. Because some drivers actually use this key in their TX callbacks\n(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free\nbelow:\n\n BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c\n Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440\n\n CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2\n Hardware name: HW (DT)\n Workqueue: bat_events batadv_send_outstanding_bcast_packet\n Call trace:\n show_stack+0x14/0x1c (C)\n dump_stack_lvl+0x58/0x74\n print_report+0x164/0x4c0\n kasan_report+0xac/0xe8\n __asan_report_load4_noabort+0x1c/0x24\n ath11k_mac_op_tx+0x590/0x61c\n ieee80211_handle_wake_tx_queue+0x12c/0x1c8\n ieee80211_queue_skb+0xdcc/0x1b4c\n ieee80211_tx+0x1ec/0x2bc\n ieee80211_xmit+0x224/0x324\n __ieee80211_subif_start_xmit+0x85c/0xcf8\n ieee80211_subif_start_xmit+0xc0/0xec4\n dev_hard_start_xmit+0xf4/0x28c\n __dev_queue_xmit+0x6ac/0x318c\n batadv_send_skb_packet+0x38c/0x4b0\n batadv_send_outstanding_bcast_packet+0x110/0x328\n process_one_work+0x578/0xc10\n worker_thread+0x4bc/0xc7c\n kthread+0x2f8/0x380\n ret_from_fork+0x10/0x20\n\n Allocated by task 1906:\n kasan_save_stack+0x28/0x4c\n kasan_save_track+0x1c/0x40\n kasan_save_alloc_info+0x3c/0x4c\n __kasan_kmalloc+0xac/0xb0\n __kmalloc_noprof+0x1b4/0x380\n ieee80211_key_alloc+0x3c/0xb64\n ieee80211_add_key+0x1b4/0x71c\n nl80211_new_key+0x2b4/0x5d8\n genl_family_rcv_msg_doit+0x198/0x240\n \u003c...\u003e\n\n Freed by task 1494:\n kasan_save_stack+0x28/0x4c\n kasan_save_track+0x1c/0x40\n kasan_save_free_info+0x48/0x94\n __kasan_slab_free+0x48/0x60\n kfree+0xc8/0x31c\n kfree_sensitive+0x70/0x80\n ieee80211_key_free_common+0x10c/0x174\n ieee80211_free_keys+0x188/0x46c\n ieee80211_stop_mesh+0x70/0x2cc\n ieee80211_leave_mesh+0x1c/0x60\n cfg80211_leave_mesh+0xe0/0x280\n cfg80211_leave+0x1e0/0x244\n \u003c...\u003e\n\nReset SKB control block key before calling ieee80211_tx_h_select_key()\nto avoid that."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:32:44.110Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb5c4347d50410e3b262c1dd4081e36aa06826f8"
},
{
"url": "https://git.kernel.org/stable/c/47fe322fb4e000f3bb89c2b370a15f3dfdfb9109"
},
{
"url": "https://git.kernel.org/stable/c/9d00c0a807a3bb7d8fadcd6c26f95f207ab0ce15"
},
{
"url": "https://git.kernel.org/stable/c/a167a2833d3f862e800cc23067b21ff1df3a1085"
},
{
"url": "https://git.kernel.org/stable/c/7fa75affe2a97abface2b0d9b95e15728967dda7"
},
{
"url": "https://git.kernel.org/stable/c/159499c1341f66a71d985e9b79f2131e88d1c646"
},
{
"url": "https://git.kernel.org/stable/c/0cbd747f343c28d911443dd4174820600cc0d952"
},
{
"url": "https://git.kernel.org/stable/c/a104042e2bf6528199adb6ca901efe7b60c2c27f"
}
],
"title": "wifi: mac80211: Update skb\u0027s control block key in ieee80211_tx_dequeue()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37795",
"datePublished": "2025-05-01T13:07:26.815Z",
"dateReserved": "2025-04-16T04:51:23.941Z",
"dateUpdated": "2025-05-04T07:32:44.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-37795\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T14:15:44.043\",\"lastModified\":\"2025-05-02T13:53:20.943\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: Update skb\u0027s control block key in ieee80211_tx_dequeue()\\n\\nThe ieee80211 skb control block key (set when skb was queued) could have\\nbeen removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()\\nalready called ieee80211_tx_h_select_key() to get the current key, but\\nthe latter do not update the key in skb control block in case it is\\nNULL. Because some drivers actually use this key in their TX callbacks\\n(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free\\nbelow:\\n\\n BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c\\n Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440\\n\\n CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2\\n Hardware name: HW (DT)\\n Workqueue: bat_events batadv_send_outstanding_bcast_packet\\n Call trace:\\n show_stack+0x14/0x1c (C)\\n dump_stack_lvl+0x58/0x74\\n print_report+0x164/0x4c0\\n kasan_report+0xac/0xe8\\n __asan_report_load4_noabort+0x1c/0x24\\n ath11k_mac_op_tx+0x590/0x61c\\n ieee80211_handle_wake_tx_queue+0x12c/0x1c8\\n ieee80211_queue_skb+0xdcc/0x1b4c\\n ieee80211_tx+0x1ec/0x2bc\\n ieee80211_xmit+0x224/0x324\\n __ieee80211_subif_start_xmit+0x85c/0xcf8\\n ieee80211_subif_start_xmit+0xc0/0xec4\\n dev_hard_start_xmit+0xf4/0x28c\\n __dev_queue_xmit+0x6ac/0x318c\\n batadv_send_skb_packet+0x38c/0x4b0\\n batadv_send_outstanding_bcast_packet+0x110/0x328\\n process_one_work+0x578/0xc10\\n worker_thread+0x4bc/0xc7c\\n kthread+0x2f8/0x380\\n ret_from_fork+0x10/0x20\\n\\n Allocated by task 1906:\\n kasan_save_stack+0x28/0x4c\\n kasan_save_track+0x1c/0x40\\n kasan_save_alloc_info+0x3c/0x4c\\n __kasan_kmalloc+0xac/0xb0\\n __kmalloc_noprof+0x1b4/0x380\\n ieee80211_key_alloc+0x3c/0xb64\\n ieee80211_add_key+0x1b4/0x71c\\n nl80211_new_key+0x2b4/0x5d8\\n genl_family_rcv_msg_doit+0x198/0x240\\n \u003c...\u003e\\n\\n Freed by task 1494:\\n kasan_save_stack+0x28/0x4c\\n kasan_save_track+0x1c/0x40\\n kasan_save_free_info+0x48/0x94\\n __kasan_slab_free+0x48/0x60\\n kfree+0xc8/0x31c\\n kfree_sensitive+0x70/0x80\\n ieee80211_key_free_common+0x10c/0x174\\n ieee80211_free_keys+0x188/0x46c\\n ieee80211_stop_mesh+0x70/0x2cc\\n ieee80211_leave_mesh+0x1c/0x60\\n cfg80211_leave_mesh+0xe0/0x280\\n cfg80211_leave+0x1e0/0x244\\n \u003c...\u003e\\n\\nReset SKB control block key before calling ieee80211_tx_h_select_key()\\nto avoid that.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mac80211: Actualizar la clave del bloque de control de skb en ieee80211_tx_dequeue() La clave del bloque de control de skb ieee80211 (establecida cuando skb se puso en cola) podr\u00eda haberse eliminado antes de la llamada a ieee80211_tx_dequeue(). ieee80211_tx_dequeue() ya llam\u00f3 a ieee80211_tx_h_select_key() para obtener la clave actual, pero este \u00faltimo no actualiza la clave en el bloque de control de skb en caso de que sea NULL. Debido a que algunos controladores realmente usan esta clave en sus devoluciones de llamada TX (por ejemplo, ath1{1,2}k_mac_op_tx()), esto podr\u00eda llevar a use after free a continuaci\u00f3n: ERROR: KASAN: slab-use-after-free en ath11k_mac_op_tx+0x590/0x61c Lectura de tama\u00f1o 4 en la direcci\u00f3n ffffff803083c248 por la tarea kworker/u16:4/1440 CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 No contaminado 6.13.0-ge128f627f404 #2 Nombre del hardware: HW (DT) Cola de trabajo: bat_events batadv_send_outstanding_bcast_packet Rastreo de llamadas: show_stack+0x14/0x1c (C) dump_stack_lvl+0x58/0x74 print_report+0x164/0x4c0 kasan_report+0xac/0xe8 __asan_report_load4_noabort+0x1c/0x24 ath11k_mac_op_tx+0x590/0x61c ieee80211_handle_wake_tx_queue+0x12c/0x1c8 ieee80211_queue_skb+0xdcc/0x1b4c ieee80211_tx+0x1ec/0x2bc ieee80211_xmit+0x224/0x324 __ieee80211_subif_start_xmit+0x85c/0xcf8 ieee80211_subif_start_xmit+0xc0/0xec4 dev_hard_start_xmit+0xf4/0x28c __dev_queue_xmit+0x6ac/0x318c batadv_send_skb_packet+0x38c/0x4b0 batadv_send_outstanding_bcast_packet+0x110/0x328 process_one_work+0x578/0xc10 worker_thread+0x4bc/0xc7c kthread+0x2f8/0x380 ret_from_fork+0x10/0x20 Allocated by task 1906: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_alloc_info+0x3c/0x4c __kasan_kmalloc+0xac/0xb0 __kmalloc_noprof+0x1b4/0x380 ieee80211_key_alloc+0x3c/0xb64 ieee80211_add_key+0x1b4/0x71c nl80211_new_key+0x2b4/0x5d8 genl_family_rcv_msg_doit+0x198/0x240 \u0026lt;...\u0026gt; Freed by task 1494: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_free_info+0x48/0x94 __kasan_slab_free+0x48/0x60 kfree+0xc8/0x31c kfree_sensitive+0x70/0x80 ieee80211_key_free_common+0x10c/0x174 ieee80211_free_keys+0x188/0x46c ieee80211_stop_mesh+0x70/0x2cc ieee80211_leave_mesh+0x1c/0x60 cfg80211_leave_mesh+0xe0/0x280 cfg80211_leave+0x1e0/0x244 \u0026lt;...\u0026gt; Restablezca la clave del bloque de control SKB antes de llamar a ieee80211_tx_h_select_key() para evitar eso.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0cbd747f343c28d911443dd4174820600cc0d952\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/159499c1341f66a71d985e9b79f2131e88d1c646\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/47fe322fb4e000f3bb89c2b370a15f3dfdfb9109\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7fa75affe2a97abface2b0d9b95e15728967dda7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9d00c0a807a3bb7d8fadcd6c26f95f207ab0ce15\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a104042e2bf6528199adb6ca901efe7b60c2c27f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a167a2833d3f862e800cc23067b21ff1df3a1085\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bb5c4347d50410e3b262c1dd4081e36aa06826f8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.