CVE-2025-68360 (GCVE-0-2025-68360)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32
VLAI?
Title
wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks MT7996 driver can use both wed and wed_hif2 devices to offload traffic from/to the wireless NIC. In the current codebase we assume to always use the primary wed device in wed callbacks resulting in the following crash if the hw runs wed_hif2 (e.g. 6GHz link). [ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a [ 297.464928] Mem abort info: [ 297.467722] ESR = 0x0000000096000005 [ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits [ 297.476766] SET = 0, FnV = 0 [ 297.479809] EA = 0, S1PTW = 0 [ 297.482940] FSC = 0x05: level 1 translation fault [ 297.487809] Data abort info: [ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000 [ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000 [ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP [ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0 [ 297.723908] Tainted: [O]=OOT_MODULE [ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT) [ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table] [ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76] [ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80 [ 297.757126] sp : ffffffc080fe3ae0 [ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7 [ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00 [ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018 [ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000 [ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000 [ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da [ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200 [ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002 [ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000 [ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8 [ 297.831686] Call trace: [ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76] [ 297.839254] mtk_wed_flow_remove+0x58/0x80 [ 297.843342] mtk_flow_offload_cmd+0x434/0x574 [ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40 [ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table] [ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table] [ 297.864463] process_one_work+0x174/0x300 [ 297.868465] worker_thread+0x278/0x430 [ 297.872204] kthread+0xd8/0xdc [ 297.875251] ret_from_fork+0x10/0x20 [ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421) [ 297.884901] ---[ end trace 0000000000000000 ]--- Fix the issue detecting the proper wed reference to use running wed callabacks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 83eafc9251d6d30574b629ac637c56d168fcbdd9 , < ab94ecb997fd1bbc501a0116c7aad51556b67c86 (git)
Affected: 83eafc9251d6d30574b629ac637c56d168fcbdd9 , < d582d0e988d696698c94edf097062bb987ae592c (git)
Affected: 83eafc9251d6d30574b629ac637c56d168fcbdd9 , < 385aab8fccd7a8746b9f1a17f3c1e38498a14bc7 (git)
Create a notification for this product.
    Linux Linux Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt76.h",
            "drivers/net/wireless/mediatek/mt76/mt7996/mmio.c",
            "drivers/net/wireless/mediatek/mt76/wed.c",
            "include/linux/soc/mediatek/mtk_wed.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ab94ecb997fd1bbc501a0116c7aad51556b67c86",
              "status": "affected",
              "version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
              "versionType": "git"
            },
            {
              "lessThan": "d582d0e988d696698c94edf097062bb987ae592c",
              "status": "affected",
              "version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
              "versionType": "git"
            },
            {
              "lessThan": "385aab8fccd7a8746b9f1a17f3c1e38498a14bc7",
              "status": "affected",
              "version": "83eafc9251d6d30574b629ac637c56d168fcbdd9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt76.h",
            "drivers/net/wireless/mediatek/mt76/mt7996/mmio.c",
            "drivers/net/wireless/mediatek/mt76/wed.c",
            "include/linux/soc/mediatek/mtk_wed.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks\n\nMT7996 driver can use both wed and wed_hif2 devices to offload traffic\nfrom/to the wireless NIC. In the current codebase we assume to always\nuse the primary wed device in wed callbacks resulting in the following\ncrash if the hw runs wed_hif2 (e.g. 6GHz link).\n\n[  297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a\n[  297.464928] Mem abort info:\n[  297.467722]   ESR = 0x0000000096000005\n[  297.471461]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  297.476766]   SET = 0, FnV = 0\n[  297.479809]   EA = 0, S1PTW = 0\n[  297.482940]   FSC = 0x05: level 1 translation fault\n[  297.487809] Data abort info:\n[  297.490679]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[  297.496156]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  297.501196]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000\n[  297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000\n[  297.523532] Internal error: Oops: 0000000096000005 [#1] SMP\n[  297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G           O       6.12.50 #0\n[  297.723908] Tainted: [O]=OOT_MODULE\n[  297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)\n[  297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]\n[  297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[  297.752688] lr : mtk_wed_flow_remove+0x58/0x80\n[  297.757126] sp : ffffffc080fe3ae0\n[  297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7\n[  297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00\n[  297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018\n[  297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000\n[  297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000\n[  297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da\n[  297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200\n[  297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002\n[  297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000\n[  297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8\n[  297.831686] Call trace:\n[  297.834123]  mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[  297.839254]  mtk_wed_flow_remove+0x58/0x80\n[  297.843342]  mtk_flow_offload_cmd+0x434/0x574\n[  297.847689]  mtk_wed_setup_tc_block_cb+0x30/0x40\n[  297.852295]  nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]\n[  297.858466]  nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]\n[  297.864463]  process_one_work+0x174/0x300\n[  297.868465]  worker_thread+0x278/0x430\n[  297.872204]  kthread+0xd8/0xdc\n[  297.875251]  ret_from_fork+0x10/0x20\n[  297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)\n[  297.884901] ---[ end trace 0000000000000000 ]---\n\nFix the issue detecting the proper wed reference to use running wed\ncallabacks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:32:49.121Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ab94ecb997fd1bbc501a0116c7aad51556b67c86"
        },
        {
          "url": "https://git.kernel.org/stable/c/d582d0e988d696698c94edf097062bb987ae592c"
        },
        {
          "url": "https://git.kernel.org/stable/c/385aab8fccd7a8746b9f1a17f3c1e38498a14bc7"
        }
      ],
      "title": "wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68360",
    "datePublished": "2025-12-24T10:32:49.121Z",
    "dateReserved": "2025-12-16T14:48:05.305Z",
    "dateUpdated": "2025-12-24T10:32:49.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68360\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:15:59.387\",\"lastModified\":\"2025-12-29T15:58:34.503\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks\\n\\nMT7996 driver can use both wed and wed_hif2 devices to offload traffic\\nfrom/to the wireless NIC. In the current codebase we assume to always\\nuse the primary wed device in wed callbacks resulting in the following\\ncrash if the hw runs wed_hif2 (e.g. 6GHz link).\\n\\n[  297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a\\n[  297.464928] Mem abort info:\\n[  297.467722]   ESR = 0x0000000096000005\\n[  297.471461]   EC = 0x25: DABT (current EL), IL = 32 bits\\n[  297.476766]   SET = 0, FnV = 0\\n[  297.479809]   EA = 0, S1PTW = 0\\n[  297.482940]   FSC = 0x05: level 1 translation fault\\n[  297.487809] Data abort info:\\n[  297.490679]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\\n[  297.496156]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n[  297.501196]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[  297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000\\n[  297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000\\n[  297.523532] Internal error: Oops: 0000000096000005 [#1] SMP\\n[  297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G           O       6.12.50 #0\\n[  297.723908] Tainted: [O]=OOT_MODULE\\n[  297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)\\n[  297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]\\n[  297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n[  297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]\\n[  297.752688] lr : mtk_wed_flow_remove+0x58/0x80\\n[  297.757126] sp : ffffffc080fe3ae0\\n[  297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7\\n[  297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00\\n[  297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018\\n[  297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000\\n[  297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000\\n[  297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da\\n[  297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200\\n[  297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002\\n[  297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000\\n[  297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8\\n[  297.831686] Call trace:\\n[  297.834123]  mt76_wed_offload_disable+0x64/0xa0 [mt76]\\n[  297.839254]  mtk_wed_flow_remove+0x58/0x80\\n[  297.843342]  mtk_flow_offload_cmd+0x434/0x574\\n[  297.847689]  mtk_wed_setup_tc_block_cb+0x30/0x40\\n[  297.852295]  nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]\\n[  297.858466]  nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]\\n[  297.864463]  process_one_work+0x174/0x300\\n[  297.868465]  worker_thread+0x278/0x430\\n[  297.872204]  kthread+0xd8/0xdc\\n[  297.875251]  ret_from_fork+0x10/0x20\\n[  297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)\\n[  297.884901] ---[ end trace 0000000000000000 ]---\\n\\nFix the issue detecting the proper wed reference to use running wed\\ncallabacks.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/385aab8fccd7a8746b9f1a17f3c1e38498a14bc7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ab94ecb997fd1bbc501a0116c7aad51556b67c86\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d582d0e988d696698c94edf097062bb987ae592c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.