CVE-2025-38513

MEDIUM EPSS 4.5%
Published Aug 16, 202510mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Aug 16, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
4.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥2.6.25  –  <5.4.296
linuxlinux_kernel*≥5.5  –  <5.10.240
linuxlinux_kernel*≥5.11  –  <5.15.189
linuxlinux_kernel*≥5.16  –  <6.1.146
linuxlinux_kernel*≥6.2  –  <6.6.99
linuxlinux_kernel*≥6.7  –  <6.12.39
linuxlinux_kernel*≥6.13  –  <6.15.7
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
debiandebian_linux11.0any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Mailing ListThird Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Mailing ListThird Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda
    Patch