{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-21729","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.755Z","datePublished":"2025-02-27T02:07:34.711Z","dateUpdated":"2025-05-04T07:19:54.470Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:19:54.470Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\n\nThe rtwdev->scanning flag isn't protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G           OE\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\n Workqueue: events cfg80211_conn_work [cfg80211]\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\n FS:  0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\n Call Trace:\n  <TASK>\n  ? show_regs+0x61/0x73\n  ? __die_body+0x20/0x73\n  ? die_addr+0x4f/0x7b\n  ? exc_general_protection+0x191/0x1db\n  ? asm_exc_general_protection+0x27/0x30\n  ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n  ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n  ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n  ? do_raw_spin_lock+0x75/0xdb\n  ? __pfx_do_raw_spin_lock+0x10/0x10\n  rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n  ? _raw_spin_unlock+0xe/0x24\n  ? __mutex_lock.constprop.0+0x40c/0x471\n  ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n  ? __mutex_lock_slowpath+0x13/0x1f\n  ? mutex_lock+0xa2/0xdc\n  ? __pfx_mutex_lock+0x10/0x10\n  rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\n  rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\n  ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\n  ieee80211_prep_connection+0x858/0x899 [mac80211]\n  ieee80211_mgd_auth+0xbea/0xdde [mac80211]\n  ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n  ? cfg80211_find_elem+0x15/0x29 [cfg80211]\n  ? is_bss+0x1b7/0x1d7 [cfg80211]\n  ieee80211_auth+0x18/0x27 [mac80211]\n  cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\n  cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n  ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n  ? __kasan_check_read+0x11/0x1f\n  ? psi_group_change+0x8bc/0x944\n  ? __kasan_check_write+0x14/0x22\n  ? mutex_lock+0x8e/0xdc\n  ? __pfx_mutex_lock+0x10/0x10\n  ? __pfx___radix_tree_lookup+0x10/0x10\n  cfg80211_conn_work+0x245/0x34d [cfg80211]\n  ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n  ? update_cfs_rq_load_avg+0x3bc/0x3d7\n  ? sched_clock_noinstr+0x9/0x1a\n  ? sched_clock+0x10/0x24\n  ? sched_clock_cpu+0x7e/0x42e\n  ? newidle_balance+0x796/0x937\n  ? __pfx_sched_clock_cpu+0x10/0x10\n  ? __pfx_newidle_balance+0x10/0x10\n  ? __kasan_check_read+0x11/0x1f\n  ? psi_group_change+0x8bc/0x944\n  ? _raw_spin_unlock+0xe/0x24\n  ? raw_spin_rq_unlock+0x47/0x54\n  ? raw_spin_rq_unlock_irq+0x9/0x1f\n  ? finish_task_switch.isra.0+0x347/0x586\n  ? __schedule+0x27bf/0x2892\n  ? mutex_unlock+0x80/0xd0\n  ? do_raw_spin_lock+0x75/0xdb\n  ? __pfx___schedule+0x10/0x10\n  process_scheduled_works+0x58c/0x821\n  worker_thread+0x4c7/0x586\n  ? __kasan_check_read+0x11/0x1f\n  kthread+0x285/0x294\n  ? __pfx_worker_thread+0x10/0x10\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x29/0x6f\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1b/0x30\n  </TASK>"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/realtek/rtw89/mac80211.c"],"versions":[{"version":"895907779752606f6a4795abfc008509f8e38314","lessThan":"2403cb3c235d5e339b580cc3a825493769fadca8","status":"affected","versionType":"git"},{"version":"895907779752606f6a4795abfc008509f8e38314","lessThan":"5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67","status":"affected","versionType":"git"},{"version":"895907779752606f6a4795abfc008509f8e38314","lessThan":"ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/realtek/rtw89/mac80211.c"],"versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","status":"unaffected","versionType":"semver"},{"version":"6.12.13","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.2","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.12.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.13.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2403cb3c235d5e339b580cc3a825493769fadca8"},{"url":"https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67"},{"url":"https://git.kernel.org/stable/c/ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c"}],"title":"wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-21729","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-27T18:14:34.158732Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-27T18:22:29.958Z"}}]}}