CVE-2025-23133

HIGH EPSS 6.7%
Published Apr 16, 20251y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 16, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: update channel list in reg notifier instead reg worker Currently when ath11k gets a new channel list, it will be processed according to the following steps: 1. update new channel list to cfg80211 and queue reg_work. 2. cfg80211 handles new channel list during reg_work. 3. update cfg80211's handled channel list to firmware by ath11k_reg_update_chan_list(). But ath11k will immediately execute step 3 after reg_work is just queued. Since step 2 is asynchronous, cfg80211 may not have completed handling the new channel list, which may leading to an out-of-bounds write error: BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list Call Trace: ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] kfree+0x109/0x3a0 ath11k_regd_update+0x1cf/0x350 [ath11k] ath11k_regd_update_work+0x14/0x20 [ath11k] process_one_work+0xe35/0x14c0 Should ensure step 2 is completely done before executing step 3. Thus Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set, cfg80211 will notify ath11k after step 2 is done. So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will notify ath11k after step 2 is done. At this time, there will be no KASAN bug during the execution of the step 3. [1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/ Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
6.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 9

VendorProductVersionRange
linuxlinux_kernel*≥5.15.79  –  <5.16
linuxlinux_kernel*≥6.0.9  –  <6.1
linuxlinux_kernel*≥6.1.1  –  <6.12.46
linuxlinux_kernel*≥6.13  –  <6.14.2
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any
linuxlinux_kernel6.1any

References 3

  • git.kernel.org https://git.kernel.org/stable/c/26618c039b78a76c373d4e02c5fbd52e3a73aead
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/933ab187e679e6fbdeea1835ae39efcc59c022d2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f952fb83c9c6f908d27500764c4aee1df04b9d3f
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/26618c039b78a76c373d4e02c5fbd52e3a73aead
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/933ab187e679e6fbdeea1835ae39efcc59c022d2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f952fb83c9c6f908d27500764c4aee1df04b9d3f
    Patch