CVE-2025-22119

MEDIUM
2025-04-16 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 16, 2025 - 15:16 nvd
MEDIUM 5.5

Tags

Linux Denial Of Service Use After Free Debian Linux Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: init wiphy_work before allocating rfkill fails syzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1] After rfkill allocation fails, the wiphy release process will be performed, which will cause cfg80211_dev_free to access the uninitialized wiphy_work related data. Move the initialization of wiphy_work to before rfkill initialization to avoid this issue. [1] INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 assign_lock_key kernel/locking/lockdep.c:983 [inline] register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297 __lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196 device_release+0xa1/0x240 drivers/base/core.c:2568 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e4/0x5a0 lib/kobject.c:737 put_device+0x1f/0x30 drivers/base/core.c:3774 wiphy_free net/wireless/core.c:1224 [inline] wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562 ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835 mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185 hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:733 [inline] ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2627 __sys_sendmsg+0x16e/0x220 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 Close: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029

Analysis

This is an uninitialized lock vulnerability in the Linux kernel's cfg80211 wireless driver subsystem where the wiphy_work_lock is accessed before being initialized when rfkill allocation fails during device initialization. An unprivileged local attacker can trigger this during WiFi device enumeration or configuration, causing a kernel panic and denial of service. The vulnerability affects Linux kernel versions 6.14 and earlier, with patches available from the vendor; exploitation requires local access but is easily triggerable through standard wireless device management operations.

Technical Context

The vulnerability exists in net/wireless/core.c within the cfg80211 subsystem of the Linux kernel, which manages wireless device driver configuration and control. The issue stems from improper initialization ordering in the wiphy (wireless PHY) device allocation and cleanup routines. When rfkill subsystem initialization fails during wiphy_new_nm(), the device release path (cfg80211_dev_free) attempts to acquire wiphy_work_lock via spin_lock_irqsave, but this lock was never initialized because wiphy_work initialization occurs after rfkill allocation in the original code. This is classified as CWE-908 (Use of Uninitialized Resource) and involves synchronization primitives being used on uninitialized kernel data structures. The affected product is the Linux kernel itself across multiple versions (cpe:2.3:o:linux:linux_kernel affecting all affected version ranges), with Debian Linux 11.0 also listed as an affected distribution.

Affected Products

The Linux kernel is the primary affected product, with confirmed impact across multiple versions including the 6.14 release candidate and final versions up to 6.14.1 as indicated by CPE entries (cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*, cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*, cpe:2.3:o:linux:linux_kernel:6.14.1:*:*:*:*:*:*). Debian Linux 11.0 (cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*) is also listed as affected, indicating the vulnerability propagates through stable Linux distributions. Multiple stable kernel branches have received patches, as evidenced by the six separate patch references from git.kernel.org stable branches, suggesting the vulnerability was backported to earlier kernel versions. Any distribution or system running affected Linux kernel versions with cfg80211 wireless driver support is vulnerable.

Remediation

Apply the kernel patch immediately by upgrading to a patched version of the Linux kernel. Vendors have released fixes across multiple stable branches, with patches available at https://git.kernel.org/stable/c/2617f60c3613ef105b8db2d514d2cac2a1836f7d and related stable branch commits. For Debian Linux 11.0 systems, check the Debian security advisory at https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html for the appropriate kernel update. The fix involves reordering initialization in wiphy_new_nm() to initialize wiphy_work before attempting rfkill allocation, ensuring the lock is properly initialized before any cleanup paths can access it. If immediate patching is not possible, restrict wireless device enumeration and configuration operations to trusted administrators only, and monitor system logs for lockdep warnings indicating uninitialized lock access attempts. Verify patch application by confirming the wiphy_work initialization occurs prior to rfkill allocation in the cfg80211 code.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2025-22119 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy