FKIE_CVE-2025-38643

Vulnerability from fkie_nvd - Published: 2025-08-22 16:15 - Updated: 2025-12-01 19:14
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Callers of wdev_chandef() must hold the wiphy mutex. But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes: WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2c5dee15239f3f3e31aa5c8808f18996c039e2c1Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4a63523d3541eef4cf504a9682e6fbe94ffe79a6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7022df2248c08c6f75a01714163ac902333bf3dbPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b3d24038eb775f2f7a1dfef58d8e1dc444a12820Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dbce810607726408f889d3358f4780fd1436861ePatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.5
linux linux_kernel 5.5
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "483F0C55-BD7E-4F22-87FA-B7E925185143",
              "versionEndExcluding": "4.15",
              "versionStartIncluding": "4.14.170",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F43F85CE-735B-484D-A9C8-92AED3BFF162",
              "versionEndExcluding": "4.20",
              "versionStartIncluding": "4.19.102",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "96F6F65F-C278-4ADA-9DFF-7B7DE2F5E450",
              "versionEndExcluding": "5.5",
              "versionStartIncluding": "5.4.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "901C09B3-81A4-4D6D-AB94-021EEC612417",
              "versionEndExcluding": "6.6.118",
              "versionStartIncluding": "5.5.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "32D87516-EE2C-40AC-B9CD-56534A895341",
              "versionEndExcluding": "6.12.57",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5890C690-B295-40C2-9121-FF5F987E5142",
              "versionEndExcluding": "6.15.10",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "58182352-D7DF-4CC9-841E-03C1D852C3FB",
              "versionEndExcluding": "6.16.1",
              "versionStartIncluding": "6.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:*",
              "matchCriteriaId": "EE98F46A-F7D9-4609-B6A0-882E7F0D378C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.5:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "3444D854-CE07-4D25-827A-ECF7BB58EA2D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()\n\nCallers of wdev_chandef() must hold the wiphy mutex.\n\nBut the worker cfg80211_propagate_cac_done_wk() never takes the lock.\nWhich triggers the warning below with the mesh_peer_connected_dfs\ntest from hostapd and not (yet) released mac80211 code changes:\n\nWARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165\nModules linked in:\nCPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf\nWorkqueue: cfg80211 cfg80211_propagate_cac_done_wk\nStack:\n 00000000 00000001 ffffff00 6093267c\n 00000000 6002ec30 6d577c50 60037608\n 00000000 67e8d108 6063717b 00000000\nCall Trace:\n [\u003c6002ec30\u003e] ? _printk+0x0/0x98\n [\u003c6003c2b3\u003e] show_stack+0x10e/0x11a\n [\u003c6002ec30\u003e] ? _printk+0x0/0x98\n [\u003c60037608\u003e] dump_stack_lvl+0x71/0xb8\n [\u003c6063717b\u003e] ? wdev_chandef+0x60/0x165\n [\u003c6003766d\u003e] dump_stack+0x1e/0x20\n [\u003c6005d1b7\u003e] __warn+0x101/0x20f\n [\u003c6005d3a8\u003e] warn_slowpath_fmt+0xe3/0x15d\n [\u003c600b0c5c\u003e] ? mark_lock.part.0+0x0/0x4ec\n [\u003c60751191\u003e] ? __this_cpu_preempt_check+0x0/0x16\n [\u003c600b11a2\u003e] ? mark_held_locks+0x5a/0x6e\n [\u003c6005d2c5\u003e] ? warn_slowpath_fmt+0x0/0x15d\n [\u003c60052e53\u003e] ? unblock_signals+0x3a/0xe7\n [\u003c60052f2d\u003e] ? um_set_signals+0x2d/0x43\n [\u003c60751191\u003e] ? __this_cpu_preempt_check+0x0/0x16\n [\u003c607508b2\u003e] ? lock_is_held_type+0x207/0x21f\n [\u003c6063717b\u003e] wdev_chandef+0x60/0x165\n [\u003c605f89b4\u003e] regulatory_propagate_dfs_state+0x247/0x43f\n [\u003c60052f00\u003e] ? um_set_signals+0x0/0x43\n [\u003c605e6bfd\u003e] cfg80211_propagate_cac_done_wk+0x3a/0x4a\n [\u003c6007e460\u003e] process_scheduled_works+0x3bc/0x60e\n [\u003c6007d0ec\u003e] ? move_linked_works+0x4d/0x81\n [\u003c6007d120\u003e] ? assign_work+0x0/0xaa\n [\u003c6007f81f\u003e] worker_thread+0x220/0x2dc\n [\u003c600786ef\u003e] ? set_pf_worker+0x0/0x57\n [\u003c60087c96\u003e] ? to_kthread+0x0/0x43\n [\u003c6008ab3c\u003e] kthread+0x2d3/0x2e2\n [\u003c6007f5ff\u003e] ? worker_thread+0x0/0x2dc\n [\u003c6006c05b\u003e] ? calculate_sigpending+0x0/0x56\n [\u003c6003b37d\u003e] new_thread_handler+0x4a/0x64\nirq event stamp: 614611\nhardirqs last  enabled at (614621): [\u003c00000000600bc96b\u003e] __up_console_sem+0x82/0xaf\nhardirqs last disabled at (614630): [\u003c00000000600bc92c\u003e] __up_console_sem+0x43/0xaf\nsoftirqs last  enabled at (614268): [\u003c00000000606c55c6\u003e] __ieee80211_wake_queue+0x933/0x985\nsoftirqs last disabled at (614266): [\u003c00000000606c52d6\u003e] __ieee80211_wake_queue+0x643/0x985"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: cfg80211: Se ha a\u00f1adido un bloqueo faltante en cfg80211_check_and_end_cac(). Quienes llaman a wdev_chandef() deben mantener el mutex de wiphy. Sin embargo, el trabajador cfg80211_propagate_cac_done_wk() nunca asume el bloqueo. Lo que activa la advertencia a continuaci\u00f3n con la prueba mesh_peer_connected_dfs de hostapd y los cambios de c\u00f3digo mac80211 no publicados (a\u00fan): ADVERTENCIA: CPU: 0 PID: 495 en net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 M\u00f3dulos vinculados: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 No contaminado 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Cola de trabajo: cfg80211 cfg80211_propagate_cac_done_wk Pila: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Rastreo de llamadas: [\u0026lt;6002ec30\u0026gt;] ? _printk+0x0/0x98 [\u0026lt;6003c2b3\u0026gt;] show_stack+0x10e/0x11a [\u0026lt;6002ec30\u0026gt;] ? _printk+0x0/0x98 [\u0026lt;60037608\u0026gt;] dump_stack_lvl+0x71/0xb8 [\u0026lt;6063717b\u0026gt;] ? __warn+0x101/0x20f [\u0026lt;6005d3a8\u0026gt;] warn_slowpath_fmt+0xe3/0x15d [\u0026lt;600b0c5c\u0026gt;] ? mark_lock.part.0+0x0/0x4ec [\u0026lt;60751191\u0026gt;] ? __this_cpu_preempt_check+0x0/0x16 [\u0026lt;600b11a2\u0026gt;] ? mark_held_locks+0x5a/0x6e [\u0026lt;6005d2c5\u0026gt;] ? warn_slowpath_fmt+0x0/0x15d [\u0026lt;60052e53\u0026gt;] ? unblock_signals+0x3a/0xe7 [\u0026lt;60052f2d\u0026gt;] ? um_set_signals+0x2d/0x43 [\u0026lt;60751191\u0026gt;] ? __this_cpu_preempt_check+0x0/0x16 [\u0026lt;607508b2\u0026gt;] ? lock_is_held_type+0x207/0x21f [\u0026lt;6063717b\u0026gt;] wdev_chandef+0x60/0x165 [\u0026lt;605f89b4\u0026gt;] regulatory_propagate_dfs_state+0x247/0x43f [\u0026lt;60052f00\u0026gt;] ? um_set_signals+0x0/0x43 [\u0026lt;605e6bfd\u0026gt;] cfg80211_propagate_cac_done_wk+0x3a/0x4a [\u0026lt;6007e460\u0026gt;] proceso_trabajos_programados+0x3bc/0x60e [\u0026lt;6007d0ec\u0026gt;] ? mover_trabajos_vinculados+0x4d/0x81 [\u0026lt;6007d120\u0026gt;] ? asignar_trabajo+0x0/0xaa [\u0026lt;6007f81f\u0026gt;] subproceso_trabajador+0x220/0x2dc [\u0026lt;600786ef\u0026gt;] ? establecer_pf_trabajador+0x0/0x57 [\u0026lt;60087c96\u0026gt;] ? hilo_trabajador+0x0/0x2dc [\u0026lt;6006c05b\u0026gt;] ? calculate_sigpending+0x0/0x56 [\u0026lt;6003b37d\u0026gt;] new_thread_handler+0x4a/0x64 marca de evento de irq: 614611 hardirqs habilitados por \u00faltima vez en (614621): [\u0026lt;00000000600bc96b\u0026gt;] __up_console_sem+0x82/0xaf hardirqs deshabilitados por \u00faltima vez en (614630): [\u0026lt;00000000600bc92c\u0026gt;] __up_console_sem+0x43/0xaf softirqs habilitados por \u00faltima vez en (614268): [\u0026lt;00000000606c55c6\u0026gt;] __ieee80211_wake_queue+0x933/0x985 softirqs deshabilitados por \u00faltima vez en (614266): [\u0026lt;00000000606c52d6\u0026gt;] __ieee80211_wake_queue+0x643/0x985"
    }
  ],
  "id": "CVE-2025-38643",
  "lastModified": "2025-12-01T19:14:29.583",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-08-22T16:15:38.417",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/2c5dee15239f3f3e31aa5c8808f18996c039e2c1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/4a63523d3541eef4cf504a9682e6fbe94ffe79a6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7022df2248c08c6f75a01714163ac902333bf3db"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b3d24038eb775f2f7a1dfef58d8e1dc444a12820"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/dbce810607726408f889d3358f4780fd1436861e"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-667"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.