CVE-2025-38643
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Callers of wdev_chandef() must hold the wiphy mutex. But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes: WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
Analysis
A missing lock protection in the Linux kernel's cfg80211 wireless configuration subsystem causes a race condition when the cfg80211_propagate_cac_done_wk worker function attempts to access wireless device channel definitions without holding the required wiphy mutex. This allows a local attacker with limited privileges to trigger a kernel warning and cause a denial of service condition. The vulnerability affects Linux kernel versions from 5.5 onwards across multiple stable releases, with patches available from the vendor and deployed via Ubuntu security advisories USN-8095-2, USN-8095-3, and USN-8100-1. The EPSS score of 0.02% indicates very low actual exploitation probability despite the moderate CVSS score.
Technical Context
The vulnerability resides in the Linux kernel's cfg80211 (configuration 802.11) wireless subsystem, which manages WiFi device configuration and regulatory domain handling. Specifically, the cfg80211_propagate_cac_done_wk worker function in net/wireless/chan.c fails to acquire the wiphy (wireless PHY device) mutex before invoking wdev_chandef(), a function documented to require this lock for safe access to wireless device channel definition data structures. This is classified as CWE-667 (Improper Locking), a race condition vulnerability where concurrent access to shared resources occurs without proper synchronization. The affected component is part of Dynamic Frequency Selection (DFS) and Channel Access Time (CAC) handling in WiFi regulation compliance, particularly impacting mesh networking scenarios with DFS-enabled bands. Linux kernel versions 5.5 through 6.14.0-rc5 contain the vulnerable code path.
Affected Products
The Linux kernel is affected across multiple versions and distributions. The vulnerability impacts Linux kernel starting from version 5.5 through 6.14.0-rc5, with confirmed CPE identifiers cpe:2.3:o:linux:linux_kernel:5.5:* and cpe:2.3:o:linux:linux_kernel:5.5:rc7:*. The vulnerability has been patched via six kernel commits available at https://git.kernel.org/stable/ (commits 2c5dee15239f3f3e31aa5c8808f18996c039e2c1, 4a63523d3541eef4cf504a9682e6fbe94ffe79a6, 7022df2248c08c6f75a01714163ac902333bf3db, b3d24038eb775f2f7a1dfef58d8e1dc444a12820, dbce810607726408f889d3358f4780fd1436861e, and defe9ce121160788547e8e6ec4438ad8a14f40dd). Ubuntu systems running affected kernel versions are addressed via security advisories USN-8095-2, USN-8095-3, and USN-8100-1 at https://ubuntu.com/security/notices/.
Remediation
Update the Linux kernel to a patched version that includes the wiphy mutex lock in cfg80211_propagate_cac_done_wk(). For Ubuntu users, apply security updates from USN-8095-2, USN-8095-3, or USN-8100-1 (https://ubuntu.com/security/notices/) which incorporate the fix. For other distributions, verify that your kernel version includes one of the six patched commits (2c5dee15239f3f3e31aa5c8808f18996c039e2c1 or later stable versions). Reboot the system after kernel update to activate the patched code. For systems unable to immediately patch, the vulnerability impact is limited to denial of service through kernel warnings in mesh networking + DFS scenarios; mitigate by disabling mesh mode or DFS if not required, or restricting local system access to trusted users only. Monitor kernel logs for warnings from net/wireless/chan.c:1552 (wdev_chandef) to detect exploitation attempts on unpatched systems.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today