CVE-2025-39750
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Correct tid cleanup when tid setup fails Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(), the tid value is already incremented, even though the corresponding TID is not actually allocated. Proceed to ath12k_dp_rx_peer_tid_delete() starting from unallocated tid, which might leads to freeing unallocated TID and cause potential crash or out-of-bounds access. Hence, fix by correctly decrementing tid before cleanup to match only the successfully allocated TIDs. Also, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(), as decrementing the tid before cleanup in loop will take care of this. Compile tested only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-11-25
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-39750
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's ath12k WiFi driver. When an error happens during the setup of a TID (Traffic Identifier) in the function ath12k_dp_rx_peer_tid_setup(), the tid counter is incremented even though the TID was not actually allocated. Later, the cleanup function ath12k_dp_rx_peer_tid_delete() attempts to free a TID starting from this unallocated tid, which can lead to freeing memory that was never allocated, potentially causing a crash or out-of-bounds memory access. The fix involves correctly decrementing the tid counter before cleanup to ensure only successfully allocated TIDs are freed.

Impact Analysis

This vulnerability can cause the system to crash or experience out-of-bounds memory access due to improper cleanup of unallocated TIDs in the WiFi driver. Such crashes can lead to denial of service or instability in the affected system.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the ath12k tid cleanup issue. The fix ensures correct tid decrementing during error handling in ath12k_dp_rx_peer_tid_setup() and ath12k_dp_rx_peer_frag_setup(), preventing potential crashes or out-of-bounds access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart