We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-21910

wifi: cfg80211: regulatory: improve invalid hints checking



Description

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 reasons. 1) The way isalpha() works, symbols other than latin lower and upper letters may be used to determine a country/domain. For instance, greek letters will also be considered upper/lower letters and for such characters isalpha() will return true as well. However, ISO-3166-1 alpha2 codes should only hold latin characters. 2) While processing a user regulatory request, between reg_process_hint_user() and regulatory_hint_user() there happens to be a call to queue_regulatory_request() which modifies letters in request->alpha2[] with toupper(). This works fine for latin symbols, less so for weird letter characters from the second part of _ctype[]. Syzbot triggers a warning in is_user_regdom_saved() by first sending over an unexpected non-latin letter that gets malformed by toupper() into a character that ends up failing isalpha() check. Prevent this by enhancing is_an_alpha2() to ensure that incoming symbols are latin letters and nothing else. [1] Syzbot report: ------------[ cut here ]------------ Unexpected user alpha2: A� WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline] WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 Modules linked in: CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_power_efficient crda_timeout_work RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline] RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline] RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516 ... Call Trace: <TASK> crda_timeout_work+0x27/0x50 net/wireless/reg.c:542 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f2/0x390 kernel/kthread.c:389 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>

Reserved 2024-12-29 | Published 2025-04-01 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

09d989d179d0c679043556dda77c51b41a2dae7e before 62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6
affected

09d989d179d0c679043556dda77c51b41a2dae7e before da3f599517ef2ea851208df3229d07728d238dc5
affected

09d989d179d0c679043556dda77c51b41a2dae7e before 6a5e3b23054cee3b92683d1467e3fa83921f5622
affected

09d989d179d0c679043556dda77c51b41a2dae7e before f4112cb477c727a65787a4065a75ca593bb5b2f4
affected

09d989d179d0c679043556dda77c51b41a2dae7e before 35ef07112b61b06eb30683a6563c9f6378c02476
affected

09d989d179d0c679043556dda77c51b41a2dae7e before be7c5f00aa7f1344293e4d48d0e12be83a2f223d
affected

09d989d179d0c679043556dda77c51b41a2dae7e before 17aa34c84867f6cd181a5743e1c647e7766962a6
affected

09d989d179d0c679043556dda77c51b41a2dae7e before 59b348be7597c4a9903cb003c69e37df20c04a30
affected

Default status
affected

2.6.34
affected

Any version before 2.6.34
unaffected

5.4.291
unaffected

5.10.235
unaffected

5.15.179
unaffected

6.1.131
unaffected

6.6.83
unaffected

6.12.19
unaffected

6.13.7
unaffected

6.14
unaffected

References

git.kernel.org/...c/62b1a9bbfebba4b4c2bb6c1ede9ef7ecee7a9ff6

git.kernel.org/...c/da3f599517ef2ea851208df3229d07728d238dc5

git.kernel.org/...c/6a5e3b23054cee3b92683d1467e3fa83921f5622

git.kernel.org/...c/f4112cb477c727a65787a4065a75ca593bb5b2f4

git.kernel.org/...c/35ef07112b61b06eb30683a6563c9f6378c02476

git.kernel.org/...c/be7c5f00aa7f1344293e4d48d0e12be83a2f223d

git.kernel.org/...c/17aa34c84867f6cd181a5743e1c647e7766962a6

git.kernel.org/...c/59b348be7597c4a9903cb003c69e37df20c04a30

cve.org (CVE-2025-21910)

nvd.nist.gov (CVE-2025-21910)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-21910

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.