{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38513","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.023Z","datePublished":"2025-08-16T10:55:00.254Z","dateUpdated":"2026-05-11T21:29:28.349Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:29:28.349Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n\nThere is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For\nexample, the following is possible:\n\n    \tT0\t\t\t    \t\tT1\nzd_mac_tx_to_dev()\n  /* len == skb_queue_len(q) */\n  while (len > ZD_MAC_MAX_ACK_WAITERS) {\n\n\t\t\t\t\t  filter_ack()\n\t\t\t\t\t    spin_lock_irqsave(&q->lock, flags);\n\t\t\t\t\t    /* position == skb_queue_len(q) */\n\t\t\t\t\t    for (i=1; i<position; i++)\n\t\t\t\t    \t      skb = __skb_dequeue(q)\n\n\t\t\t\t\t    if (mac->type == NL80211_IFTYPE_AP)\n\t\t\t\t\t      skb = __skb_dequeue(q);\n\t\t\t\t\t    spin_unlock_irqrestore(&q->lock, flags);\n\n    skb_dequeue() -> NULL\n\nSince there is a small gap between checking skb queue length and skb being\nunconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.\nThen the pointer is passed to zd_mac_tx_status() where it is dereferenced.\n\nIn order to avoid potential NULL pointer dereference due to situations like\nabove, check if skb is not NULL before passing it to zd_mac_tx_status().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/zydas/zd1211rw/zd_mac.c"],"versions":[{"version":"459c51ad6e1fc19e91a53798358433d3c08cd09d","lessThan":"c1958270de947604cc6de05fc96dbba256b49cf0","status":"affected","versionType":"git"},{"version":"459c51ad6e1fc19e91a53798358433d3c08cd09d","lessThan":"014c34dc132015c4f918ada4982e952947ac1047","status":"affected","versionType":"git"},{"version":"459c51ad6e1fc19e91a53798358433d3c08cd09d","lessThan":"b24f65c184540dfb967479320ecf7e8c2e9220dc","status":"affected","versionType":"git"},{"version":"459c51ad6e1fc19e91a53798358433d3c08cd09d","lessThan":"adf08c96b963c7cd7ec1ee1c0c556228d9bedaae","status":"affected","versionType":"git"},{"version":"459c51ad6e1fc19e91a53798358433d3c08cd09d","lessThan":"5420de65efbeb6503bcf1d43451c9df67ad60298","status":"affected","versionType":"git"},{"version":"459c51ad6e1fc19e91a53798358433d3c08cd09d","lessThan":"fcd9c923b58e86501450b9b442ccc7ce4a8d0fda","status":"affected","versionType":"git"},{"version":"459c51ad6e1fc19e91a53798358433d3c08cd09d","lessThan":"602b4eb2f25668de15de69860ec99caf65b3684d","status":"affected","versionType":"git"},{"version":"459c51ad6e1fc19e91a53798358433d3c08cd09d","lessThan":"74b1ec9f5d627d2bdd5e5b6f3f81c23317657023","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/zydas/zd1211rw/zd_mac.c"],"versions":[{"version":"2.6.25","status":"affected"},{"version":"0","lessThan":"2.6.25","status":"unaffected","versionType":"semver"},{"version":"5.4.296","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.240","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.189","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.146","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.99","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.39","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.7","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"5.4.296"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"5.10.240"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"5.15.189"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"6.1.146"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"6.6.99"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"6.12.39"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"6.15.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.25","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c1958270de947604cc6de05fc96dbba256b49cf0"},{"url":"https://git.kernel.org/stable/c/014c34dc132015c4f918ada4982e952947ac1047"},{"url":"https://git.kernel.org/stable/c/b24f65c184540dfb967479320ecf7e8c2e9220dc"},{"url":"https://git.kernel.org/stable/c/adf08c96b963c7cd7ec1ee1c0c556228d9bedaae"},{"url":"https://git.kernel.org/stable/c/5420de65efbeb6503bcf1d43451c9df67ad60298"},{"url":"https://git.kernel.org/stable/c/fcd9c923b58e86501450b9b442ccc7ce4a8d0fda"},{"url":"https://git.kernel.org/stable/c/602b4eb2f25668de15de69860ec99caf65b3684d"},{"url":"https://git.kernel.org/stable/c/74b1ec9f5d627d2bdd5e5b6f3f81c23317657023"}],"title":"wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:39:16.277Z"}}]}}