How to fix EUVD-2025-20956?

Within 24 hours: Inventory systems using ath12k WiFi drivers and assess exposure in production environments. Within 7 days: Test and deploy available kernel patches in non-production environments. Within 30 days: Complete patch deployment across all affected production systems and verify successful updates.

Is Use After Free affected by EUVD-2025-20956?

A use-after-free vulnerability in Linux kernel WiFi drivers (ath12k) could allow attackers to cause system crashes or potentially execute code on affected devices.

EUVD-2025-20956

| CVE-2025-38292 HIGH

2025-07-10 416baaa9-dc9f-4396-8d5f-8c081fb06d67

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-20956

Patch Released

Mar 16, 2026 - 06:52 nvd

Patch available

CVE Published

Jul 10, 2025 - 08:15 nvd

HIGH 7.1

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only.

Analysis

CVE-2025-38292 is a use-after-free vulnerability in the Linux kernel's ath12k WiFi driver (ath12k_dp_rx_msdu_coalesce function) where the is_continuation boolean field is accessed after the skb (socket buffer) containing it has been freed. This affects local attackers with low privileges who can trigger network packet processing, potentially leading to information disclosure or denial of service. The vulnerability has not been reported as actively exploited in KEV, but the high CVSS score (7.1) and local attack vector indicate moderate real-world risk, particularly in systems where unprivileged users can influence WiFi packet handling.

Technical Context

The vulnerability exists in the Qualcomm ath12k WiFi driver (linux/drivers/net/wireless/ath/ath12k/), which handles 802.11ax (WiFi 6) and subsequent standard devices. The flaw is in the receive (RX) packet processing path, specifically in the MSDU (MAC Service Data Unit) coalescing function. The rxcb (RX control block) structure is embedded within an skb's control buffer and contains metadata about received packets, including the is_continuation flag indicating whether a packet is part of a fragmented transmission. The bug occurs because the code references rxcb->is_continuation after calling dev_kfree_skb() or similar, which deallocates the skb and its associated control buffer. This is a classic use-after-free (CWE-125) pattern where freed memory is dereferenced. The fix involves extracting is_continuation to a local variable before skb deallocation, preserving the value without accessing freed memory.

Affected Products

Linux kernel ath12k WiFi driver affecting Qualcomm 802.11ax devices. CPE data for ath12k would be: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (with ath12k module). Specific chipsets supported by ath12k include Qualcomm QCN9074, QCA6390, and WCN6855, typically found in: (1) Enterprise WiFi 6 access points and routers; (2) Linux laptops/desktops with Qualcomm wireless adapters; (3) IoT/embedded devices running Linux. Affected kernel versions are those prior to the patch commit resolving this issue (specific version range not provided in CVE text; typically patches appear in -rc or stable releases post-disclosure). OEM vendors integrating ath12k in custom kernels (e.g., Lenovo, Dell, ASUS for Linux-based products) may distribute affected binaries.

Remediation

Primary mitigation: Apply upstream Linux kernel patch (commit hash not provided in CVE description; typically available via linux-wireless or kernel.org after disclosure). Secondary mitigation: Disable ath12k WiFi driver if not needed (modprobe -r ath12k) or restrict driver loading to trusted modules only via kernel module signing. For systems unable to patch immediately: (1) Limit local user access to WiFi packet processing interfaces; (2) Run WiFi services in restricted containers with minimal privileges; (3) Monitor system logs for kernel panics or memory access violations correlated with WiFi activity. Vendor advisories from Qualcomm, Linux distribution maintainers (Red Hat, Canonical, etc.), and device OEMs should be monitored. Patch availability expected in: Linux kernel stable branches (likely 6.6.x, 6.10.x, and later), and distribution kernels within 1-2 release cycles post-patch upstream.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

Vendor Status

Debian

linux

Release	Status	Fixed Version	Urgency
bullseye	not-affected	-	-
bullseye (security)	fixed	5.10.251-1	-
bookworm	not-affected	-	-
bookworm (security)	fixed	6.1.164-1	-
trixie	fixed	6.12.73-1	-
trixie (security)	fixed	6.12.74-2	-
forky	fixed	6.19.6-2	-
sid	fixed	6.19.8-1	-
(unstable)	fixed	6.12.35-1	-

EUVD-2025-20956 vulnerability details – vuln.today

Back

EUVD-2025-20956

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

EUVD-2025-20956

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code