CVE-2025-38513
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-16

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-16
Last Modified
2025-11-03
Generated
2026-05-27
AI Q&A
2025-08-16
EPSS Evaluated
2026-05-25
NVD
CVE-2025-38513
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux kernel 6.1.153
linux kernel 5.10.244
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a potential NULL pointer dereference in the Linux kernel's zd1211rw wifi driver, specifically in the function zd_mac_tx_to_dev(). The issue arises because there is a small timing gap between checking the length of a socket buffer (skb) queue and dequeuing an skb unconditionally. This can cause skb_dequeue() to return NULL, and then the NULL pointer is passed to zd_mac_tx_status() where it is dereferenced, potentially causing a kernel crash or instability. The fix involves checking if skb is not NULL before passing it to zd_mac_tx_status().


How can this vulnerability impact me? :

This vulnerability can lead to a NULL pointer dereference in the Linux kernel wifi driver, which may cause the kernel to crash or become unstable. This can result in denial of service (DoS) conditions on affected systems, potentially disrupting network connectivity and system availability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the zd1211rw driver includes the fix that checks if skb is not NULL before passing it to zd_mac_tx_status(). This prevents the NULL pointer dereference. Until the update is applied, avoid using the affected zd1211rw wireless driver to reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart