Home

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE.

PUBLISHED Reserved 2025-04-16 | Published 2025-08-16 | Updated 2025-08-16 | Assigner Linux

Product status

Default status
unaffected

459c51ad6e1fc19e91a53798358433d3c08cd09d before c1958270de947604cc6de05fc96dbba256b49cf0
affected

459c51ad6e1fc19e91a53798358433d3c08cd09d before 014c34dc132015c4f918ada4982e952947ac1047
affected

459c51ad6e1fc19e91a53798358433d3c08cd09d before b24f65c184540dfb967479320ecf7e8c2e9220dc
affected

459c51ad6e1fc19e91a53798358433d3c08cd09d before adf08c96b963c7cd7ec1ee1c0c556228d9bedaae
affected

459c51ad6e1fc19e91a53798358433d3c08cd09d before 5420de65efbeb6503bcf1d43451c9df67ad60298
affected

459c51ad6e1fc19e91a53798358433d3c08cd09d before fcd9c923b58e86501450b9b442ccc7ce4a8d0fda
affected

459c51ad6e1fc19e91a53798358433d3c08cd09d before 602b4eb2f25668de15de69860ec99caf65b3684d
affected

459c51ad6e1fc19e91a53798358433d3c08cd09d before 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023
affected

Default status
affected

2.6.25
affected

Any version before 2.6.25
unaffected

5.4.296
unaffected

5.10.240
unaffected

5.15.189
unaffected

6.1.146
unaffected

6.6.99
unaffected

6.12.39
unaffected

6.15.7
unaffected

6.16
unaffected

References

git.kernel.org/...c/c1958270de947604cc6de05fc96dbba256b49cf0

git.kernel.org/...c/014c34dc132015c4f918ada4982e952947ac1047

git.kernel.org/...c/b24f65c184540dfb967479320ecf7e8c2e9220dc

git.kernel.org/...c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae

git.kernel.org/...c/5420de65efbeb6503bcf1d43451c9df67ad60298

git.kernel.org/...c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda

git.kernel.org/...c/602b4eb2f25668de15de69860ec99caf65b3684d

git.kernel.org/...c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023

cve.org (CVE-2025-38513)

nvd.nist.gov (CVE-2025-38513)

Download JSON