CVE-2025-68729 (GCVE-0-2025-68729)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
Title
wifi: ath12k: Fix MSDU buffer types handling in RX error path
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix MSDU buffer types handling in RX error path Currently, packets received on the REO exception ring from unassociated peers are of MSDU buffer type, while the driver expects link descriptor type packets. These packets are not parsed further due to a return check on packet type in ath12k_hal_desc_reo_parse_err(), but the associated skb is not freed. This may lead to kernel crashes and buffer leaks. Hence to fix, update the RX error handler to explicitly drop MSDU buffer type packets received on the REO exception ring. This prevents further processing of invalid packets and ensures stability in the RX error handling path. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 5ff5a9d71cdc49c3400f30583a784ad0a17d01ec (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < ab0554f51e5f2b9506e8a09e8accd02f00056729 (git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981 (git)
Create a notification for this product.
    Linux Linux Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/dp_rx.c",
            "drivers/net/wireless/ath/ath12k/hal_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5ff5a9d71cdc49c3400f30583a784ad0a17d01ec",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "ab0554f51e5f2b9506e8a09e8accd02f00056729",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            },
            {
              "lessThan": "36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981",
              "status": "affected",
              "version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/dp_rx.c",
            "drivers/net/wireless/ath/ath12k/hal_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix MSDU buffer types handling in RX error path\n\nCurrently, packets received on the REO exception ring from\nunassociated peers are of MSDU buffer type, while the driver expects\nlink descriptor type packets. These packets are not parsed further due\nto a return check on packet type in ath12k_hal_desc_reo_parse_err(),\nbut the associated skb is not freed. This may lead to kernel\ncrashes and buffer leaks.\n\nHence to fix, update the RX error handler to explicitly drop\nMSDU buffer type packets received on the REO exception ring.\nThis prevents further processing of invalid packets and ensures\nstability in the RX error handling path.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:33:12.515Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5ff5a9d71cdc49c3400f30583a784ad0a17d01ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab0554f51e5f2b9506e8a09e8accd02f00056729"
        },
        {
          "url": "https://git.kernel.org/stable/c/36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981"
        }
      ],
      "title": "wifi: ath12k: Fix MSDU buffer types handling in RX error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68729",
    "datePublished": "2025-12-24T10:33:12.515Z",
    "dateReserved": "2025-12-24T10:30:51.028Z",
    "dateUpdated": "2025-12-24T10:33:12.515Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68729\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:16:02.200\",\"lastModified\":\"2025-12-24T11:16:02.200\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath12k: Fix MSDU buffer types handling in RX error path\\n\\nCurrently, packets received on the REO exception ring from\\nunassociated peers are of MSDU buffer type, while the driver expects\\nlink descriptor type packets. These packets are not parsed further due\\nto a return check on packet type in ath12k_hal_desc_reo_parse_err(),\\nbut the associated skb is not freed. This may lead to kernel\\ncrashes and buffer leaks.\\n\\nHence to fix, update the RX error handler to explicitly drop\\nMSDU buffer type packets received on the REO exception ring.\\nThis prevents further processing of invalid packets and ensures\\nstability in the RX error handling path.\\n\\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5ff5a9d71cdc49c3400f30583a784ad0a17d01ec\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ab0554f51e5f2b9506e8a09e8accd02f00056729\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.