CVE-2025-38657
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-11-26
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's wifi driver rtw89, specifically in the mcc component. The issue arises because the 'link_id' value, which is provided by the user through debugfs, can be larger than BITS_PER_LONG. This causes a shift wrapping problem in the function rtw89_core_mlsr_switch(), potentially leading to an out of bounds memory access. The fix limits 'link_id' to IEEE80211_MLD_MAX_NUM_LINKS (15) to prevent this.
How can this vulnerability impact me? :
The vulnerability could potentially lead to an out of bounds memory access in the wifi driver, which might cause system instability or security issues. However, since only root users can write to debugfs files, the security impact is minimal.
What immediate steps should I take to mitigate this vulnerability?
Since the vulnerability involves the 'link_id' value being written via debugfs by root, immediate mitigation steps include restricting root access to the system and avoiding writing to the affected debugfs files until the kernel is updated with the fix. Applying the updated Linux kernel that includes the patch preventing shift wrapping in rtw89_core_mlsr_switch() is recommended.