CVE-2025-23133

EPSS 0.04%
Published 16.04.2025 14:13:14
Last modified 09.09.2025 17:15:42
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: update channel list in reg notifier instead reg worker

Currently when ath11k gets a new channel list, it will be processed
according to the following steps:
1. update new channel list to cfg80211 and queue reg_work.
2. cfg80211 handles new channel list during reg_work.
3. update cfg80211's handled channel list to firmware by
ath11k_reg_update_chan_list().

But ath11k will immediately execute step 3 after reg_work is just
queued. Since step 2 is asynchronous, cfg80211 may not have completed
handling the new channel list, which may leading to an out-of-bounds
write error:
BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list
Call Trace:
    ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]
    kfree+0x109/0x3a0
    ath11k_regd_update+0x1cf/0x350 [ath11k]
    ath11k_regd_update_work+0x14/0x20 [ath11k]
    process_one_work+0xe35/0x14c0

Should ensure step 2 is completely done before executing step 3. Thus
Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,
cfg80211 will notify ath11k after step 2 is done.

So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will
notify ath11k after step 2 is done. At this time, there will be no
KASAN bug during the execution of the step 3.

[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3

Affected products Warnungen 0 Metrics 1 CWE 0 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorLinux

≫

Product Linux

Default Statusunaffected

Version < 26618c039b78a76c373d4e02c5fbd52e3a73aead

Version f45cb6b29cd36514e13f7519770873d8c0457008

Status affected

Version < f952fb83c9c6f908d27500764c4aee1df04b9d3f

Version f45cb6b29cd36514e13f7519770873d8c0457008

Status affected

Version < 933ab187e679e6fbdeea1835ae39efcc59c022d2

Version f45cb6b29cd36514e13f7519770873d8c0457008

Status affected

Version f96fd36936310cefe0ea1370a9ae30e6746e6f62

Status affected

Version c97b120950b49d76bdce013bd4d9577d769465f4

Status affected

VendorLinux

≫

Product Linux

Default Statusaffected

Version 6.1

Status affected

Version < 6.1

Version 0

Status unaffected

Version <= 6.12.*

Version 6.12.46

Status unaffected

Version <= 6.14.*

Version 6.14.2

Status unaffected

Version <= *

Version 6.15

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.118

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string

https://git.kernel.org/stable/c/f952fb83c9c6f908d27500764c4aee1df04b9d3f

https://git.kernel.org/stable/c/933ab187e679e6fbdeea1835ae39efcc59c022d2

https://git.kernel.org/stable/c/26618c039b78a76c373d4e02c5fbd52e3a73aead

https://nvd.nist.gov/vuln/detail/CVE-2025-23133

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-23133

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-23133

EUVD