fkie_cve-2025-38505
Vulnerability from fkie_nvd
Published
2025-08-16 11:15
Modified
2025-08-18 20:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: discard erroneous disassoc frames on STA interface When operating in concurrent STA/AP mode with host MLME enabled, the firmware incorrectly sends disassociation frames to the STA interface when clients disconnect from the AP interface. This causes kernel warnings as the STA interface processes disconnect events that don't apply to it: [ 1303.240540] WARNING: CPU: 0 PID: 513 at net/wireless/mlme.c:141 cfg80211_process_disassoc+0x78/0xec [cfg80211] [ 1303.250861] Modules linked in: 8021q garp stp mrp llc rfcomm bnep btnxpuart nls_iso8859_1 nls_cp437 onboard_us [ 1303.327651] CPU: 0 UID: 0 PID: 513 Comm: kworker/u9:2 Not tainted 6.16.0-rc1+ #3 PREEMPT [ 1303.335937] Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT) [ 1303.343588] Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex] [ 1303.350856] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1303.357904] pc : cfg80211_process_disassoc+0x78/0xec [cfg80211] [ 1303.364065] lr : cfg80211_process_disassoc+0x70/0xec [cfg80211] [ 1303.370221] sp : ffff800083053be0 [ 1303.373590] x29: ffff800083053be0 x28: 0000000000000000 x27: 0000000000000000 [ 1303.380855] x26: 0000000000000000 x25: 00000000ffffffff x24: ffff000002c5b8ae [ 1303.388120] x23: ffff000002c5b884 x22: 0000000000000001 x21: 0000000000000008 [ 1303.395382] x20: ffff000002c5b8ae x19: ffff0000064dd408 x18: 0000000000000006 [ 1303.402646] x17: 3a36333a61623a30 x16: 32206d6f72662063 x15: ffff800080bfe048 [ 1303.409910] x14: ffff000003625300 x13: 0000000000000001 x12: 0000000000000000 [ 1303.417173] x11: 0000000000000002 x10: ffff000003958600 x9 : ffff000003625300 [ 1303.424434] x8 : ffff00003fd9ef40 x7 : ffff0000039fc280 x6 : 0000000000000002 [ 1303.431695] x5 : ffff0000038976d4 x4 : 0000000000000000 x3 : 0000000000003186 [ 1303.438956] x2 : 000000004836ba20 x1 : 0000000000006986 x0 : 00000000d00479de [ 1303.446221] Call trace: [ 1303.448722] cfg80211_process_disassoc+0x78/0xec [cfg80211] (P) [ 1303.454894] cfg80211_rx_mlme_mgmt+0x64/0xf8 [cfg80211] [ 1303.460362] mwifiex_process_mgmt_packet+0x1ec/0x460 [mwifiex] [ 1303.466380] mwifiex_process_sta_rx_packet+0x1bc/0x2a0 [mwifiex] [ 1303.472573] mwifiex_handle_rx_packet+0xb4/0x13c [mwifiex] [ 1303.478243] mwifiex_rx_work_queue+0x158/0x198 [mwifiex] [ 1303.483734] process_one_work+0x14c/0x28c [ 1303.487845] worker_thread+0x2cc/0x3d4 [ 1303.491680] kthread+0x12c/0x208 [ 1303.495014] ret_from_fork+0x10/0x20 Add validation in the STA receive path to verify that disassoc/deauth frames originate from the connected AP. Frames that fail this check are discarded early, preventing them from reaching the MLME layer and triggering WARN_ON(). This filtering logic is similar with that used in the ieee80211_rx_mgmt_disassoc() function in mac80211, which drops disassoc frames that don't match the current BSSID (!ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr)), ensuring only relevant frames are processed. Tested on: - 8997 with FW 16.68.1.p197
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3b602ddc0df723992721b0d286c90c9bdd755b34
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/52654cebaac23dae31a9c97ae0da5be649f1ab4d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a963819a121f5dd61e0b39934d8b5dec529da96a
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: discard erroneous disassoc frames on STA interface\n\nWhen operating in concurrent STA/AP mode with host MLME enabled,\nthe firmware incorrectly sends disassociation frames to the STA\ninterface when clients disconnect from the AP interface.\nThis causes kernel warnings as the STA interface processes\ndisconnect events that don\u0027t apply to it:\n\n[ 1303.240540] WARNING: CPU: 0 PID: 513 at net/wireless/mlme.c:141 cfg80211_process_disassoc+0x78/0xec [cfg80211]\n[ 1303.250861] Modules linked in: 8021q garp stp mrp llc rfcomm bnep btnxpuart nls_iso8859_1 nls_cp437 onboard_us\n[ 1303.327651] CPU: 0 UID: 0 PID: 513 Comm: kworker/u9:2 Not tainted 6.16.0-rc1+ #3 PREEMPT\n[ 1303.335937] Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT)\n[ 1303.343588] Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex]\n[ 1303.350856] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1303.357904] pc : cfg80211_process_disassoc+0x78/0xec [cfg80211]\n[ 1303.364065] lr : cfg80211_process_disassoc+0x70/0xec [cfg80211]\n[ 1303.370221] sp : ffff800083053be0\n[ 1303.373590] x29: ffff800083053be0 x28: 0000000000000000 x27: 0000000000000000\n[ 1303.380855] x26: 0000000000000000 x25: 00000000ffffffff x24: ffff000002c5b8ae\n[ 1303.388120] x23: ffff000002c5b884 x22: 0000000000000001 x21: 0000000000000008\n[ 1303.395382] x20: ffff000002c5b8ae x19: ffff0000064dd408 x18: 0000000000000006\n[ 1303.402646] x17: 3a36333a61623a30 x16: 32206d6f72662063 x15: ffff800080bfe048\n[ 1303.409910] x14: ffff000003625300 x13: 0000000000000001 x12: 0000000000000000\n[ 1303.417173] x11: 0000000000000002 x10: ffff000003958600 x9 : ffff000003625300\n[ 1303.424434] x8 : ffff00003fd9ef40 x7 : ffff0000039fc280 x6 : 0000000000000002\n[ 1303.431695] x5 : ffff0000038976d4 x4 : 0000000000000000 x3 : 0000000000003186\n[ 1303.438956] x2 : 000000004836ba20 x1 : 0000000000006986 x0 : 00000000d00479de\n[ 1303.446221] Call trace:\n[ 1303.448722]  cfg80211_process_disassoc+0x78/0xec [cfg80211] (P)\n[ 1303.454894]  cfg80211_rx_mlme_mgmt+0x64/0xf8 [cfg80211]\n[ 1303.460362]  mwifiex_process_mgmt_packet+0x1ec/0x460 [mwifiex]\n[ 1303.466380]  mwifiex_process_sta_rx_packet+0x1bc/0x2a0 [mwifiex]\n[ 1303.472573]  mwifiex_handle_rx_packet+0xb4/0x13c [mwifiex]\n[ 1303.478243]  mwifiex_rx_work_queue+0x158/0x198 [mwifiex]\n[ 1303.483734]  process_one_work+0x14c/0x28c\n[ 1303.487845]  worker_thread+0x2cc/0x3d4\n[ 1303.491680]  kthread+0x12c/0x208\n[ 1303.495014]  ret_from_fork+0x10/0x20\n\nAdd validation in the STA receive path to verify that disassoc/deauth\nframes originate from the connected AP. Frames that fail this check\nare discarded early, preventing them from reaching the MLME layer and\ntriggering WARN_ON().\n\nThis filtering logic is similar with that used in the\nieee80211_rx_mgmt_disassoc() function in mac80211, which drops\ndisassoc frames that don\u0027t match the current BSSID\n(!ether_addr_equal(mgmt-\u003ebssid, sdata-\u003evif.cfg.ap_addr)), ensuring\nonly relevant frames are processed.\n\nTested on:\n- 8997 with FW 16.68.1.p197"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mwifiex: descarta marcos de disociaci\u00f3n err\u00f3neos en la interfaz STA. Cuando se opera en modo STA/AP concurrente con MLME de host habilitado, el firmware env\u00eda incorrectamente marcos de disociaci\u00f3n a la interfaz STA cuando los clientes se desconectan de la interfaz AP. Esto genera advertencias del kernel ya que la interfaz STA procesa eventos de desconexi\u00f3n que no se aplican a ella: [ 1303.240540] ADVERTENCIA: CPU: 0 PID: 513 en net/wireless/mlme.c:141 cfg80211_process_disassoc+0x78/0xec [cfg80211] [ 1303.250861] M\u00f3dulos vinculados: 8021q garp stp mrp llc rfcomm bnep btnxpuart nls_iso8859_1 nls_cp437 onboard_us [ 1303.327651] CPU: 0 UID: 0 PID: 513 Comm: kworker/u9:2 No contaminado 6.16.0-rc1+ #3 PREEMPT [ 1303.335937] Nombre del hardware: Toradex Verdin AM62 WB en placa de desarrollo Verdin (DT) [ 1303.343588] Cola de trabajo: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex] [ 1303.350856] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1303.357904] pc : cfg80211_process_disassoc+0x78/0xec [cfg80211] [ 1303.364065] lr : cfg80211_process_disassoc+0x70/0xec [cfg80211] [ 1303.370221] sp : ffff800083053be0 [ 1303.373590] x29: ffff800083053be0 x28: 0000000000000000 x27: 00000000000000000 [ 1303.380855] x26: 0000000000000000 x25: 00000000ffffffff x24: ffff000002c5b8ae [ 1303.388120] x23: ffff000002c5b884 x22: 0000000000000001 x21: 0000000000000008 [ 1303.395382] x20: ffff000002c5b8ae x19: ffff0000064dd408 x18: 0000000000000006 [ 1303.402646] x17: 3a36333a61623a30 x16: 32206d6f72662063 x15: ffff800080bfe048 [ 1303.409910] x14: ffff000003625300 x13: 000000000000001 x12: 0000000000000000 [ 1303.417173] x11: 0000000000000002 x10: ffff000003958600 x9 : ffff000003625300 [ 1303.424434] x8 : ffff00003fd9ef40 x7 : ffff0000039fc280 x6 : 0000000000000002 [ 1303.431695] x5 : ffff0000038976d4 x4 : 0000000000000000 x3 : 0000000000003186 [ 1303.438956] x2 : 000000004836ba20 x1 : 0000000000006986 x0 : 00000000d00479de [ 1303.446221] Rastreo de llamadas: [ 1303.448722] cfg80211_process_disassoc+0x78/0xec [cfg80211] (P) [ 1303.454894] cfg80211_rx_mlme_mgmt+0x64/0xf8 [cfg80211] [ 1303.460362] mwifiex_process_mgmt_packet+0x1ec/0x460 [mwifiex] [ 1303.466380] mwifiex_process_sta_rx_packet+0x1bc/0x2a0 [mwifiex] [ 1303.472573] mwifiex_handle_rx_packet+0xb4/0x13c [mwifiex] [ 1303.478243] mwifiex_rx_work_queue+0x158/0x198 [mwifiex] [ 1303.483734] process_one_work+0x14c/0x28c [ 1303.487845]worker_thread+0x2cc/0x3d4 [ 1303.491680] kthread+0x12c/0x208 [ 1303.495014] ret_from_fork+0x10/0x20 Agregue validaci\u00f3n en la ruta de recepci\u00f3n de STA para verificar que los marcos de desasociaci\u00f3n/desautorizaci\u00f3n se originen en el AP conectado. Las tramas que no superan esta comprobaci\u00f3n se descartan prematuramente, lo que impide que lleguen a la capa MLME y activen WARN_ON(). Esta l\u00f3gica de filtrado es similar a la utilizada en la funci\u00f3n ieee80211_rx_mgmt_disassoc() de mac80211, que descarta las tramas de desasociaci\u00f3n que no coinciden con el BSSID actual (!ether_addr_equal(mgmt-\u0026gt;bssid, sdata-\u0026gt;vif.cfg.ap_addr)), garantizando as\u00ed que solo se procesen las tramas relevantes. Probado en: - 8997 con firmware 16.68.1.p197"
    }
  ],
  "id": "CVE-2025-38505",
  "lastModified": "2025-08-18T20:16:28.750",
  "metrics": {},
  "published": "2025-08-16T11:15:43.407",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3b602ddc0df723992721b0d286c90c9bdd755b34"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/52654cebaac23dae31a9c97ae0da5be649f1ab4d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a963819a121f5dd61e0b39934d8b5dec529da96a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.