CVE-2025-38512 (GCVE-0-2025-38512)
Vulnerability from cvelistv5
Published
2025-08-16 10:54
Modified
2025-08-16 10:54
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: prevent A-MSDU attacks in mesh networks
This patch is a mitigation to prevent the A-MSDU spoofing vulnerability
for mesh networks. The initial update to the IEEE 802.11 standard, in
response to the FragAttacks, missed this case (CVE-2025-27558). It can
be considered a variant of CVE-2020-24588 but for mesh networks.
This patch tries to detect if a standard MSDU was turned into an A-MSDU
by an adversary. This is done by parsing a received A-MSDU as a standard
MSDU, calculating the length of the Mesh Control header, and seeing if
the 6 bytes after this header equal the start of an rfc1042 header. If
equal, this is a strong indication of an ongoing attack attempt.
This defense was tested with mac80211_hwsim against a mesh network that
uses an empty Mesh Address Extension field, i.e., when four addresses
are used, and when using a 12-byte Mesh Address Extension field, i.e.,
when six addresses are used. Functionality of normal MSDUs and A-MSDUs
was also tested, and confirmed working, when using both an empty and
12-byte Mesh Address Extension field.
It was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh
networks keep being detected and prevented.
Note that the vulnerability being patched, and the defense being
implemented, was also discussed in the following paper and in the
following IEEE 802.11 presentation:
https://papers.mathyvanhoef.com/wisec2025.pdf
https://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ec6392061de6681148b63ee6c8744da833498cdd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e01851f6e9a665a6011b14714b271d3e6b0b8d32",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6e3b09402cc6c3e3474fa548e8adf6897dda05de",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "737bb912ebbe4571195c56eba557c4d7315b26fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: prevent A-MSDU attacks in mesh networks\n\nThis patch is a mitigation to prevent the A-MSDU spoofing vulnerability\nfor mesh networks. The initial update to the IEEE 802.11 standard, in\nresponse to the FragAttacks, missed this case (CVE-2025-27558). It can\nbe considered a variant of CVE-2020-24588 but for mesh networks.\n\nThis patch tries to detect if a standard MSDU was turned into an A-MSDU\nby an adversary. This is done by parsing a received A-MSDU as a standard\nMSDU, calculating the length of the Mesh Control header, and seeing if\nthe 6 bytes after this header equal the start of an rfc1042 header. If\nequal, this is a strong indication of an ongoing attack attempt.\n\nThis defense was tested with mac80211_hwsim against a mesh network that\nuses an empty Mesh Address Extension field, i.e., when four addresses\nare used, and when using a 12-byte Mesh Address Extension field, i.e.,\nwhen six addresses are used. Functionality of normal MSDUs and A-MSDUs\nwas also tested, and confirmed working, when using both an empty and\n12-byte Mesh Address Extension field.\n\nIt was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh\nnetworks keep being detected and prevented.\n\nNote that the vulnerability being patched, and the defense being\nimplemented, was also discussed in the following paper and in the\nfollowing IEEE 802.11 presentation:\n\nhttps://papers.mathyvanhoef.com/wisec2025.pdf\nhttps://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-16T10:54:54.285Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80"
},
{
"url": "https://git.kernel.org/stable/c/ec6392061de6681148b63ee6c8744da833498cdd"
},
{
"url": "https://git.kernel.org/stable/c/e01851f6e9a665a6011b14714b271d3e6b0b8d32"
},
{
"url": "https://git.kernel.org/stable/c/6e3b09402cc6c3e3474fa548e8adf6897dda05de"
},
{
"url": "https://git.kernel.org/stable/c/737bb912ebbe4571195c56eba557c4d7315b26fb"
}
],
"title": "wifi: prevent A-MSDU attacks in mesh networks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38512",
"datePublished": "2025-08-16T10:54:54.285Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-08-16T10:54:54.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38512\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-16T11:15:44.263\",\"lastModified\":\"2025-08-18T20:16:28.750\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: prevent A-MSDU attacks in mesh networks\\n\\nThis patch is a mitigation to prevent the A-MSDU spoofing vulnerability\\nfor mesh networks. The initial update to the IEEE 802.11 standard, in\\nresponse to the FragAttacks, missed this case (CVE-2025-27558). It can\\nbe considered a variant of CVE-2020-24588 but for mesh networks.\\n\\nThis patch tries to detect if a standard MSDU was turned into an A-MSDU\\nby an adversary. This is done by parsing a received A-MSDU as a standard\\nMSDU, calculating the length of the Mesh Control header, and seeing if\\nthe 6 bytes after this header equal the start of an rfc1042 header. If\\nequal, this is a strong indication of an ongoing attack attempt.\\n\\nThis defense was tested with mac80211_hwsim against a mesh network that\\nuses an empty Mesh Address Extension field, i.e., when four addresses\\nare used, and when using a 12-byte Mesh Address Extension field, i.e.,\\nwhen six addresses are used. Functionality of normal MSDUs and A-MSDUs\\nwas also tested, and confirmed working, when using both an empty and\\n12-byte Mesh Address Extension field.\\n\\nIt was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh\\nnetworks keep being detected and prevented.\\n\\nNote that the vulnerability being patched, and the defense being\\nimplemented, was also discussed in the following paper and in the\\nfollowing IEEE 802.11 presentation:\\n\\nhttps://papers.mathyvanhoef.com/wisec2025.pdf\\nhttps://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: prevenir ataques A-MSDU en redes de malla Este parche es una mitigaci\u00f3n para prevenir la vulnerabilidad de suplantaci\u00f3n de A-MSDU para redes de malla. La actualizaci\u00f3n inicial del est\u00e1ndar IEEE 802.11, en respuesta a los FragAttacks, pas\u00f3 por alto este caso (CVE-2025-27558). Puede considerarse una variante de CVE-2020-24588 pero para redes de malla. Este parche intenta detectar si un adversario convirti\u00f3 una MSDU est\u00e1ndar en una A-MSDU. Esto se hace analizando una A-MSDU recibida como una MSDU est\u00e1ndar, calculando la longitud del encabezado Mesh Control y viendo si los 6 bytes despu\u00e9s de este encabezado equivalen al comienzo de un encabezado rfc1042. Si son iguales, esto es un fuerte indicio de un intento de ataque en curso. Esta defensa se prob\u00f3 con mac80211_hwsim contra una red en malla que utiliza un campo de extensi\u00f3n de direcci\u00f3n de malla vac\u00edo (es decir, cuando se utilizan cuatro direcciones) y un campo de extensi\u00f3n de direcci\u00f3n de malla de 12 bytes (es decir, cuando se utilizan seis direcciones). Tambi\u00e9n se prob\u00f3 la funcionalidad de las MSDU normales y las A-MSDU, y se confirm\u00f3 su funcionamiento, tanto al utilizar un campo de extensi\u00f3n de direcci\u00f3n de malla vac\u00edo como al utilizar un campo de extensi\u00f3n de direcci\u00f3n de malla de 12 bytes. Tambi\u00e9n se prob\u00f3 con mac80211_hwsim que los ataques A-MSDU en redes no en malla se siguen detectando y previniendo. Tenga en cuenta que la vulnerabilidad que se est\u00e1 reparando y la defensa que se est\u00e1 implementando tambi\u00e9n se analizaron en el siguiente documento y en la siguiente presentaci\u00f3n IEEE 802.11: https://papers.mathyvanhoef.com/wisec2025.pdf https://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6e3b09402cc6c3e3474fa548e8adf6897dda05de\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/737bb912ebbe4571195c56eba557c4d7315b26fb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e01851f6e9a665a6011b14714b271d3e6b0b8d32\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e2c8a3c0388aef6bfc4aabfba07bc7dff16eea80\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ec6392061de6681148b63ee6c8744da833498cdd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…