Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2025-38291— wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash

EPSS 0.03% · P9

Affected Version Matrix 6

VendorProductVersion RangeStatus
LinuxLinuxa9b46dd2e483bf99fa09e6aeea7701960abaa902< 2563069baf243cadc76dc64d9085606742c4b282affected
a9b46dd2e483bf99fa09e6aeea7701960abaa902< e9e094a9734ea3bd4d4d117c915ccf129ac61ba1affected
6.13affected
< 6.13unaffected
6.15.3≤ 6.15.*unaffected
6.16≤ *unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-38291

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace. Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery. Call Trace: <TASK> dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k] ? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k] _raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_htc_send+0x178/0x390 [ath12k] ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k] ath12k_wmi_cmd_send+0x62/0x190 [ath12k] ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1 ath12k_mac_op_get_survey+0x2be/0x310 [ath12k] ieee80211_dump_survey+0x99/0x240 [mac80211] nl80211_dump_survey+0xe7/0x470 [cfg80211] ? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211] ? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 ____sys_sendmsg+0x1e4/0x260 ___sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于固件崩溃期间仍发送WMI命令,可能导致内核调用跟踪。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux a9b46dd2e483bf99fa09e6aeea7701960abaa902 ~ 2563069baf243cadc76dc64d9085606742c4b282 -
LinuxLinux 6.13 -

II. Public POCs for CVE-2025-38291

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-38291

登录查看更多情报信息。

Same Patch Batch · Linux · 2025-07-10 · 84 CVEs total

CVE-2025-38317wifi: ath12k: Fix buffer overflow in debugfs
CVE-2025-38328jffs2: check jffs2_prealloc_raw_node_refs() result in few other places
CVE-2025-38316wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor()
CVE-2025-38315Bluetooth: btintel: Check dsbr size from EFI variable
CVE-2025-38314virtio-pci: Fix result size returned for the admin command completion
CVE-2025-38311iavf: get rid of the crit lock
CVE-2025-38310seg6: Fix validation of nexthop addresses
CVE-2025-38309drm/xe/vm: move xe_svm_init() earlier
CVE-2025-38308ASoC: Intel: avs: Fix possible null-ptr-deref when initing hw
CVE-2025-38313bus: fsl-mc: fix double-free on mc_dev
CVE-2025-38318perf: arm-ni: Fix missing platform_set_drvdata()
CVE-2025-38319drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table
CVE-2025-38320arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()
CVE-2025-38321smb: Log an error when close_all_cached_dirs fails
CVE-2025-38322perf/x86/intel: Fix crash in icl_update_topdown_event()
CVE-2025-38323net: atm: add lec_mutex
CVE-2025-38324mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().
CVE-2025-38325ksmbd: add free_transport ops in ksmbd connection
CVE-2025-38326aoe: clean device rq_list in aoedev_downdev()
CVE-2025-38327fgraph: Do not enable function_graph tracer when setting funcgraph-args

Showing top 20 of 84 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2025-38291

No comments yet

Leave a comment