Linux Kernel CVE-2025-38643
MEDIUMCVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()
Callers of wdev_chandef() must hold the wiphy mutex.
But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes:
WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
AnalysisAI
A missing lock protection in the Linux kernel's cfg80211 wireless configuration subsystem causes a race condition when the cfg80211_propagate_cac_done_wk worker function attempts to access wireless device channel definitions without holding the required wiphy mutex. This allows a local attacker with limited privileges to trigger a kernel warning and cause a denial of service condition. The vulnerability affects Linux kernel versions from 5.5 onwards across multiple stable releases, with patches available from the vendor and deployed via Ubuntu security advisories USN-8095-2, USN-8095-3, and USN-8100-1. The EPSS score of 0.02% indicates very low actual exploitation probability despite the moderate CVSS score.
Technical ContextAI
The vulnerability resides in the Linux kernel's cfg80211 (configuration 802.11) wireless subsystem, which manages WiFi device configuration and regulatory domain handling. Specifically, the cfg80211_propagate_cac_done_wk worker function in net/wireless/chan.c fails to acquire the wiphy (wireless PHY device) mutex before invoking wdev_chandef(), a function documented to require this lock for safe access to wireless device channel definition data structures. This is classified as CWE-667 (Improper Locking), a race condition vulnerability where concurrent access to shared resources occurs without proper synchronization. The affected component is part of Dynamic Frequency Selection (DFS) and Channel Access Time (CAC) handling in WiFi regulation compliance, particularly impacting mesh networking scenarios with DFS-enabled bands. Linux kernel versions 5.5 through 6.14.0-rc5 contain the vulnerable code path.
RemediationAI
Update the Linux kernel to a patched version that includes the wiphy mutex lock in cfg80211_propagate_cac_done_wk(). For Ubuntu users, apply security updates from USN-8095-2, USN-8095-3, or USN-8100-1 (https://ubuntu.com/security/notices/) which incorporate the fix. For other distributions, verify that your kernel version includes one of the six patched commits (2c5dee15239f3f3e31aa5c8808f18996c039e2c1 or later stable versions). Reboot the system after kernel update to activate the patched code. For systems unable to immediately patch, the vulnerability impact is limited to denial of service through kernel warnings in mesh networking + DFS scenarios; mitigate by disabling mesh mode or DFS if not required, or restricting local system access to trusted users only. Monitor kernel logs for warnings from net/wireless/chan.c:1552 (wdev_chandef) to detect exploitation attempts on unpatched systems.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today