CVE-2025-38513

{"id": "CVE-2025-38513", "cveTags": [], "metrics": {}, "published": "2025-08-16T11:15:44.383", "references": [{"url": "https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n\nThere is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For\nexample, the following is possible:\n\n \tT0\t\t\t \t\tT1\nzd_mac_tx_to_dev()\n /* len == skb_queue_len(q) */\n while (len > ZD_MAC_MAX_ACK_WAITERS) {\n\n\t\t\t\t\t filter_ack()\n\t\t\t\t\t spin_lock_irqsave(&q->lock, flags);\n\t\t\t\t\t /* position == skb_queue_len(q) */\n\t\t\t\t\t for (i=1; i<position; i++)\n\t\t\t\t \t skb = __skb_dequeue(q)\n\n\t\t\t\t\t if (mac->type == NL80211_IFTYPE_AP)\n\t\t\t\t\t skb = __skb_dequeue(q);\n\t\t\t\t\t spin_unlock_irqrestore(&q->lock, flags);\n\n skb_dequeue() -> NULL\n\nSince there is a small gap between checking skb queue length and skb being\nunconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.\nThen the pointer is passed to zd_mac_tx_status() where it is dereferenced.\n\nIn order to avoid potential NULL pointer dereference due to situations like\nabove, check if skb is not NULL before passing it to zd_mac_tx_status().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: zd1211rw: Se corrige una posible desreferencia de puntero NULL en zd_mac_tx_to_dev(). Existe una posible desreferencia de puntero NULL en zd_mac_tx_to_dev(). Por ejemplo, es posible lo siguiente: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len &gt; ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&amp;q-&gt;lock, flags); /* position == skb_queue_len(q) */ for (i=1; itype == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&amp;q-&gt;lock, flags); skb_dequeue() -&gt; NULL. Dado que hay una peque\u00f1a diferencia entre la comprobaci\u00f3n de la longitud de la cola de skb y su desencolado incondicional en zd_mac_tx_to_dev(), skb_dequeue() puede devolver NULL. A continuaci\u00f3n, el puntero se pasa a zd_mac_tx_status(), donde se desreferencia. Para evitar posibles desreferencias de punteros NULL debido a situaciones como la anterior, compruebe que skb no sea NULL antes de pasarlo a zd_mac_tx_status(). Encontrado por el Centro de Verificaci\u00f3n de Linux (linuxtesting.org) con SVACE."}], "lastModified": "2025-08-18T20:16:28.750", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}