Home

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2020-24588 but for mesh networks. This patch tries to detect if a standard MSDU was turned into an A-MSDU by an adversary. This is done by parsing a received A-MSDU as a standard MSDU, calculating the length of the Mesh Control header, and seeing if the 6 bytes after this header equal the start of an rfc1042 header. If equal, this is a strong indication of an ongoing attack attempt. This defense was tested with mac80211_hwsim against a mesh network that uses an empty Mesh Address Extension field, i.e., when four addresses are used, and when using a 12-byte Mesh Address Extension field, i.e., when six addresses are used. Functionality of normal MSDUs and A-MSDUs was also tested, and confirmed working, when using both an empty and 12-byte Mesh Address Extension field. It was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh networks keep being detected and prevented. Note that the vulnerability being patched, and the defense being implemented, was also discussed in the following paper and in the following IEEE 802.11 presentation: https://papers.mathyvanhoef.com/wisec2025.pdf https://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx

PUBLISHED Reserved 2025-04-16 | Published 2025-08-16 | Updated 2025-08-16 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before ec6392061de6681148b63ee6c8744da833498cdd
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before e01851f6e9a665a6011b14714b271d3e6b0b8d32
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 6e3b09402cc6c3e3474fa548e8adf6897dda05de
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 737bb912ebbe4571195c56eba557c4d7315b26fb
affected

Default status
affected

6.1.146
unaffected

6.6.99
unaffected

6.12.39
unaffected

6.15.7
unaffected

6.16
unaffected

References

git.kernel.org/...c/e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80

git.kernel.org/...c/ec6392061de6681148b63ee6c8744da833498cdd

git.kernel.org/...c/e01851f6e9a665a6011b14714b271d3e6b0b8d32

git.kernel.org/...c/6e3b09402cc6c3e3474fa548e8adf6897dda05de

git.kernel.org/...c/737bb912ebbe4571195c56eba557c4d7315b26fb

cve.org (CVE-2025-38512)

nvd.nist.gov (CVE-2025-38512)

Download JSON