In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Linux
  • Linux Kernel

No data.

No data.

References
Link Providers
https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047 cve-icon cve-icon
https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298 cve-icon cve-icon
https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d cve-icon cve-icon
https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023 cve-icon cve-icon
https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae cve-icon cve-icon
https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc cve-icon cve-icon
https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0 cve-icon cve-icon
https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda cve-icon cve-icon
History

Mon, 18 Aug 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Sat, 16 Aug 2025 11:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE.
Title wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()
References
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-08-16T10:55:00.254Z

Updated: 2025-08-16T10:55:00.254Z

Reserved: 2025-04-16T04:51:24.023Z

Link: CVE-2025-38513

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-16T11:15:44.383

Modified: 2025-08-18T20:16:28.750

Link: CVE-2025-38513

cve-icon Redhat

No data.