CVE-2025-38601

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized flag for deinit-ed srng lists In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances: 1) First ath11k_hal_dump_srng_stats() call Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 22511ms before ath11k_pci 0000:01:00.0: group_id 1 14440788ms before [..] ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. ath11k_pci 0000:01:00.0: Service connect timeout ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 ath11k_pci 0000:01:00.0: failed to start core: -110 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: already resetting count 2 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery [..] 2) At this point reconfiguration fails (we have 2 resets) and ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() which destroys srng lists. However, it does not reset per-list ->initialized flag. 3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized flag and attempts to dump srng stats: Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 66785ms before ath11k_pci 0000:01:00.0: group_id 1 14485062ms before ath11k_pci 0000:01:00.0: group_id 2 14485062ms before ath11k_pci 0000:01:00.0: group_id 3 14485062ms before ath11k_pci 0000:01:00.0: group_id 4 14780845ms before ath11k_pci 0000:01:00.0: group_id 5 14780845ms before ath11k_pci 0000:01:00.0: group_id 6 14485062ms before ath11k_pci 0000:01:00.0: group_id 7 66814ms before ath11k_pci 0000:01:00.0: group_id 8 68997ms before ath11k_pci 0000:01:00.0: group_id 9 67588ms before ath11k_pci 0000:01:00.0: group_id 10 69511ms before BUG: unable to handle page fault for address: ffffa007404eb010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] Call Trace: <TASK> ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] worker_thread+0x389/0x930 kthread+0x149/0x170 Clear per-list ->initialized flag in ath11k_hal_srng_deinit().

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd	Patch
https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230	Patch
https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4	Patch
https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54	Patch
https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082	Patch
https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c	Patch
https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e	Patch
https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

07 Jan 2026, 18:42

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd -~~	() https://git.kernel.org/stable/c/0ebb5fe494501c19f31270008b26ab95201af6fd - Patch
References	~~() https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230 -~~	() https://git.kernel.org/stable/c/16872194c80f2724472fc207991712895ac8a230 - Patch
References	~~() https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4 -~~	() https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4 - Patch
References	~~() https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54 -~~	() https://git.kernel.org/stable/c/5bf201c55fdf303e79005038648dfa1e8af48f54 - Patch
References	~~() https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082 -~~	() https://git.kernel.org/stable/c/72a48be1f53942793f3bc68a37fad1f38b53b082 - Patch
References	~~() https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c -~~	() https://git.kernel.org/stable/c/916ac18d526a26f6072866b1a97622cf1351ef1c - Patch
References	~~() https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e -~~	() https://git.kernel.org/stable/c/a5b46aa7cf5f05c213316a018e49a8e086efd98e - Patch
References	~~() https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5 -~~	() https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5 - Patch
References	~~() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -~~	() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - Third Party Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -~~	() https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux Debian Debian debian Linux Linux linux Kernel
CPE		cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:linux:linux_kernel::::::::
CWE		CWE-909

03 Nov 2025, 18:16

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -

28 Aug 2025, 15:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/3a6daae987a829534636fd85ed6f84d5f0ad7fa4 - () https://git.kernel.org/stable/c/eff3bb53c18c0ed4ab6f43d412b3ed3aecad52d5 -

20 Aug 2025, 14:40

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath11k: borrar el indicador inicializado para listas srng desiniciadas En varios casos, vemos pánicos del kernel al reanudarse debido a un fallo de página del kernel ath11k, que sucede en las siguientes circunstancias: 1) Primera llamada a ath11k_hal_dump_srng_stats() Última interrupción recibida para cada grupo: ath11k_pci 0000:01:00.0: group_id 0 22511ms antes ath11k_pci 0000:01:00.0: group_id 1 14440788ms antes [..] ath11k_pci 0000:01:00.0: no se pudo recibir la respuesta de control finalización, sondeo.. ath11k_pci 0000:01:00.0: tiempo de espera de conexión del servicio ath11k_pci 0000:01:00.0: no se pudo conectar a HTT: -110 ath11k_pci 0000:01:00.0: no se pudo iniciar el núcleo: -110 ath11k_pci 0000:01:00.0: el firmware falló: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: ya se está restableciendo el recuento 2 ath11k_pci 0000:01:00.0: no se pudo esperar la solicitud de modo wlan (modo 4): -110 ath11k_pci 0000:01:00.0: qmi no pudo enviar el modo wlan desactivado: -110 ath11k_pci 0000:01:00.0: no se pudo reconfigurar el controlador en la recuperación de falla [..] 2) En este punto, la reconfiguración falla (tenemos 2 Se reinicia) y ath11k_core_reconfigure_on_crash() llama a ath11k_hal_srng_deinit(), que destruye las listas srng. Sin embargo, no reinicia el indicador de inicialización por lista. 3) La segunda llamada ath11k_hal_dump_srng_stats() ve la bandera obsoleta ->inicializada e intenta volcar las estadísticas de srng: Última interrupción recibida para cada grupo: ath11k_pci 0000:01:00.0: group_id 0 66785ms antes ath11k_pci 0000:01:00.0: group_id 1 14485062ms antes ath11k_pci 0000:01:00.0: group_id 2 14485062ms antes ath11k_pci 0000:01:00.0: group_id 3 14485062ms antes ath11k_pci 0000:01:00.0: group_id 4 14780845ms antes ath11k_pci 0000:01:00.0: group_id 5 14780845ms antes ath11k_pci 0000:01:00.0: group_id 6 14485062ms antes ath11k_pci 0000:01:00.0: group_id 7 66814ms antes ath11k_pci 0000:01:00.0: group_id 8 68997ms antes ath11k_pci 0000:01:00.0: group_id 9 67588ms antes ath11k_pci 0000:01:00.0: group_id 10 69511ms antes ERROR: no se puede manejar el error de página para la dirección: ffffa007404eb010 #PF: lectura del supervisor acceso en modo kernel #PF: error_code(0x0000) - página no presente PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] Seguimiento de llamadas: ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] worker_thread+0x389/0x930 kthread+0x149/0x170 Limpiar la bandera por lista ->inicializada en ath11k_hal_srng_deinit().

19 Aug 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 17:15

Updated : 2026-01-07 18:42

NVD link : CVE-2025-38601

Mitre link : CVE-2025-38601

CVE.ORG link : CVE-2025-38601

JSON object : View

Products Affected

debian

debian_linux

linux

linux_kernel

CWE

CWE-909

Missing Initialization of Resource

5.5 /10