CVE-2025-38450— wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-38450
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Add a NULL check for msta->vif before accessing its members to prevent a kernel panic in AP mode deployment. This also fix the issue reported in [1]. The crash occurs when this function is triggered before the station is fully initialized. The call trace shows a page fault at mt7925_sta_set_decap_offload() due to accessing resources when msta->vif is NULL. Fix this by adding an early return if msta->vif is NULL and also check wcid.sta is ready. This ensures we only proceed with decap offload configuration when the station's state is properly initialized. [14739.655703] Unable to handle kernel paging request at virtual address ffffffffffffffa0 [14739.811820] CPU: 0 UID: 0 PID: 895854 Comm: hostapd Tainted: G [14739.821394] Tainted: [C]=CRAP, [O]=OOT_MODULE [14739.825746] Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) [14739.831577] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [14739.838538] pc : mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common] [14739.845271] lr : mt7925_sta_set_decap_offload+0x58/0x1b8 [mt7925_common] [14739.851985] sp : ffffffc085efb500 [14739.855295] x29: ffffffc085efb500 x28: 0000000000000000 x27: ffffff807803a158 [14739.862436] x26: ffffff8041ececb8 x25: 0000000000000001 x24: 0000000000000001 [14739.869577] x23: 0000000000000001 x22: 0000000000000008 x21: ffffff8041ecea88 [14739.876715] x20: ffffff8041c19ca0 x19: ffffff8078031fe0 x18: 0000000000000000 [14739.883853] x17: 0000000000000000 x16: ffffffe2aeac1110 x15: 000000559da48080 [14739.890991] x14: 0000000000000001 x13: 0000000000000000 x12: 0000000000000000 [14739.898130] x11: 0a10020001008e88 x10: 0000000000001a50 x9 : ffffffe26457bfa0 [14739.905269] x8 : ffffff8042013bb0 x7 : ffffff807fb6cbf8 x6 : dead000000000100 [14739.912407] x5 : dead000000000122 x4 : ffffff80780326c8 x3 : 0000000000000000 [14739.919546] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff8041ececb8 [14739.926686] Call trace: [14739.929130] mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common] [14739.935505] ieee80211_check_fast_rx+0x19c/0x510 [mac80211] [14739.941344] _sta_info_move_state+0xe4/0x510 [mac80211] [14739.946860] sta_info_move_state+0x1c/0x30 [mac80211] [14739.952116] sta_apply_auth_flags.constprop.0+0x90/0x1b0 [mac80211] [14739.958708] sta_apply_parameters+0x234/0x5e0 [mac80211] [14739.964332] ieee80211_add_station+0xdc/0x190 [mac80211] [14739.969950] nl80211_new_station+0x46c/0x670 [cfg80211] [14739.975516] genl_family_rcv_msg_doit+0xdc/0x150 [14739.980158] genl_rcv_msg+0x218/0x298 [14739.983830] netlink_rcv_skb+0x64/0x138 [14739.987670] genl_rcv+0x40/0x60 [14739.990816] netlink_unicast+0x314/0x380 [14739.994742] netlink_sendmsg+0x198/0x3f0 [14739.998664] __sock_sendmsg+0x64/0xc0 [14740.002324] ____sys_sendmsg+0x260/0x298 [14740.006242] ___sys_sendmsg+0xb4/0x110
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于sta_set_decap_offload中的空指针解引用问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-38450
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-38450
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-07-25 · 114 CVEs total
| CVE-2025-38424 | perf: Fix sample vs do_exit() | |
| CVE-2025-38438 | ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. | |
| CVE-2025-38437 | ksmbd: fix potential use-after-free in oplock/lease break ack | |
| CVE-2025-38436 | drm/scheduler: signal scheduled fence when kill job | |
| CVE-2025-38435 | riscv: vector: Fix context save/restore with xtheadvector | |
| CVE-2025-38434 | Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" | |
| CVE-2025-38433 | riscv: fix runtime constant support for nommu kernels | |
| CVE-2025-38432 | net: netpoll: Initialize UDP checksum field before checksumming | |
| CVE-2025-38431 | smb: client: fix regression with native SMB symlinks | |
| CVE-2025-38430 | nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request | |
| CVE-2025-38429 | bus: mhi: ep: Update read pointer only after buffer is written | |
| CVE-2025-38428 | Input: ims-pcu - check record size in ims_pcu_flash_firmware() | |
| CVE-2025-38427 | video: screen_info: Relocate framebuffers behind PCI bridges | |
| CVE-2025-38425 | i2c: tegra: check msg length in SMBUS block read | |
| CVE-2025-38426 | drm/amdgpu: Add basic validation for RAS header | |
| CVE-2025-38413 | virtio-net: xsk: rx: fix the frame's length check | |
| CVE-2025-38416 | NFC: nci: uart: Set tty->disc_data only in success path | |
| CVE-2025-38415 | Squashfs: check return result of sb_min_blocksize | |
| CVE-2025-38414 | wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 | |
| CVE-2025-38417 | ice: fix eswitch code memory leak in reset scenario |
Showing top 20 of 114 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
Same vendor: Linux
- CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length - CVE-2026-43489
liveupdate: luo_file: remember retrieve() status - CVE-2026-43487
ata: libata-core: Disable LPM on ST1000DM010-2EP102 - CVE-2026-43488
usb: xhci: Prevent interrupt storm on host controller error
V. Comments for CVE-2025-38450
No comments yet