CVE-2025-38601— wifi: ath11k: clear initialized flag for deinit-ed srng lists
Affected Version Matrix 18
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 5118935b1bc28d0bce9427e584e11e905e68ee9a< 3a6daae987a829534636fd85ed6f84d5f0ad7fa4 | affected |
5118935b1bc28d0bce9427e584e11e905e68ee9a< eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5 | affected | ||
5118935b1bc28d0bce9427e584e11e905e68ee9a< 916ac18d526a26f6072866b1a97622cf1351ef1c | affected | ||
5118935b1bc28d0bce9427e584e11e905e68ee9a< 5bf201c55fdf303e79005038648dfa1e8af48f54 | affected | ||
5118935b1bc28d0bce9427e584e11e905e68ee9a< 72a48be1f53942793f3bc68a37fad1f38b53b082 | affected | ||
5118935b1bc28d0bce9427e584e11e905e68ee9a< 0ebb5fe494501c19f31270008b26ab95201af6fd | affected | ||
5118935b1bc28d0bce9427e584e11e905e68ee9a< 16872194c80f2724472fc207991712895ac8a230 | affected | ||
5118935b1bc28d0bce9427e584e11e905e68ee9a< a5b46aa7cf5f05c213316a018e49a8e086efd98e | affected | ||
| … +10 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-38601
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
wifi: ath11k: clear initialized flag for deinit-ed srng lists
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized flag for deinit-ed srng lists In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances: 1) First ath11k_hal_dump_srng_stats() call Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 22511ms before ath11k_pci 0000:01:00.0: group_id 1 14440788ms before [..] ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. ath11k_pci 0000:01:00.0: Service connect timeout ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 ath11k_pci 0000:01:00.0: failed to start core: -110 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: already resetting count 2 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery [..] 2) At this point reconfiguration fails (we have 2 resets) and ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() which destroys srng lists. However, it does not reset per-list ->initialized flag. 3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized flag and attempts to dump srng stats: Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 66785ms before ath11k_pci 0000:01:00.0: group_id 1 14485062ms before ath11k_pci 0000:01:00.0: group_id 2 14485062ms before ath11k_pci 0000:01:00.0: group_id 3 14485062ms before ath11k_pci 0000:01:00.0: group_id 4 14780845ms before ath11k_pci 0000:01:00.0: group_id 5 14780845ms before ath11k_pci 0000:01:00.0: group_id 6 14485062ms before ath11k_pci 0000:01:00.0: group_id 7 66814ms before ath11k_pci 0000:01:00.0: group_id 8 68997ms before ath11k_pci 0000:01:00.0: group_id 9 67588ms before ath11k_pci 0000:01:00.0: group_id 10 69511ms before BUG: unable to handle page fault for address: ffffa007404eb010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] Call Trace: <TASK> ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] worker_thread+0x389/0x930 kthread+0x149/0x170 Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于wifi: ath11k模块在未清除初始化标志时可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-38601
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-38601
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-08-19 · 59 CVEs total
| CVE-2025-38594 | iommu/vt-d: Fix UAF on sva unbind with pending IOPFs | |
| CVE-2025-38608 | bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls | |
| CVE-2025-38612 | staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() | |
| CVE-2025-38610 | powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() | |
| CVE-2025-38609 | PM / devfreq: Check governor before using governor->name | |
| CVE-2025-38613 | staging: gpib: fix unset padding field copy back to userspace | |
| CVE-2025-38598 | drm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0 | |
| CVE-2025-38597 | drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port | |
| CVE-2025-38595 | xen: fix UAF in dmabuf_exp_from_pages() | |
| CVE-2025-38596 | drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code | |
| CVE-2025-38599 | wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx() | |
| CVE-2025-38593 | Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' | |
| CVE-2025-38592 | Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv | |
| CVE-2025-38591 | bpf: Reject narrower access to pointer ctx fields | |
| CVE-2025-38590 | net/mlx5e: Remove skb secpath if xfrm state is not found | |
| CVE-2025-38589 | neighbour: Fix null-ptr-deref in neigh_flush_dev(). | |
| CVE-2025-38588 | ipv6: prevent infinite loop in rt6_nlmsg_size() | |
| CVE-2025-38587 | ipv6: fix possible infinite loop in fib6_info_uses_dev() | |
| CVE-2025-38586 | bpf, arm64: Fix fp initialization for exception boundary | |
| CVE-2025-38585 | staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() |
Showing top 20 of 59 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46331
net/sched: fix pedit partial COW leading to page cache corru - CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs - CVE-2026-52906
9p: fix access mode flags being ORed instead of replaced - CVE-2026-52905
mm/damon/core: disallow non-power of two min_region_sz on da - CVE-2026-52904
drm/nouveau: fix nvkm_device leak on aperture removal failur
Same vendor: Linux
- CVE-2026-46331
net/sched: fix pedit partial COW leading to page cache corru - CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs - CVE-2026-52906
9p: fix access mode flags being ORed instead of replaced - CVE-2026-52905
mm/damon/core: disallow non-power of two min_region_sz on da - CVE-2026-52904
drm/nouveau: fix nvkm_device leak on aperture removal failur
V. Comments for CVE-2025-38601
No comments yet