{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38604","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.028Z","datePublished":"2025-08-19T17:03:43.358Z","dateUpdated":"2026-05-11T21:31:26.694Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:31:26.694Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Kill URBs before clearing tx status queue\n\nIn rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing\nb_tx_status.queue. This change prevents callbacks from using already freed\nskb due to anchor was not killed before freeing such skb.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]\n Call Trace:\n  <IRQ>\n  rtl8187_tx_cb+0x116/0x150 [rtl8187]\n  __usb_hcd_giveback_urb+0x9d/0x120\n  usb_giveback_urb_bh+0xbb/0x140\n  process_one_work+0x19b/0x3c0\n  bh_worker+0x1a7/0x210\n  tasklet_action+0x10/0x30\n  handle_softirqs+0xf0/0x340\n  __irq_exit_rcu+0xcd/0xf0\n  common_interrupt+0x85/0xa0\n  </IRQ>\n\nTested on RTL8187BvE device.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"],"versions":[{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"e64732ebff9e24258e7326f07adbe2f2b990daf8","status":"affected","versionType":"git"},{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"789415771422f4fb9f444044f86ecfaec55df1bd","status":"affected","versionType":"git"},{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"c73c773b09e313278f9b960303a2809b8440bac6","status":"affected","versionType":"git"},{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"8c767727f331fb9455b0f81daad832b5925688cb","status":"affected","versionType":"git"},{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"14ca6952691fa8cc91e7644512e6ff24a595283f","status":"affected","versionType":"git"},{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"7858a95566f4ebf59524666683d2dcdba3fca968","status":"affected","versionType":"git"},{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"c51a45ad9070a6d296174fcbe5c466352836c12b","status":"affected","versionType":"git"},{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"81cfe34d0630de4e23ae804dcc08fb6f861dc37d","status":"affected","versionType":"git"},{"version":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f","lessThan":"16d8fd74dbfca0ea58645cd2fca13be10cae3cdd","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"],"versions":[{"version":"2.6.29","status":"affected"},{"version":"0","lessThan":"2.6.29","status":"unaffected","versionType":"semver"},{"version":"5.4.297","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.241","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.148","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.102","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.42","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.4.297"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.10.241"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.1.148"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.6.102"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.12.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.29","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e64732ebff9e24258e7326f07adbe2f2b990daf8"},{"url":"https://git.kernel.org/stable/c/789415771422f4fb9f444044f86ecfaec55df1bd"},{"url":"https://git.kernel.org/stable/c/c73c773b09e313278f9b960303a2809b8440bac6"},{"url":"https://git.kernel.org/stable/c/8c767727f331fb9455b0f81daad832b5925688cb"},{"url":"https://git.kernel.org/stable/c/14ca6952691fa8cc91e7644512e6ff24a595283f"},{"url":"https://git.kernel.org/stable/c/7858a95566f4ebf59524666683d2dcdba3fca968"},{"url":"https://git.kernel.org/stable/c/c51a45ad9070a6d296174fcbe5c466352836c12b"},{"url":"https://git.kernel.org/stable/c/81cfe34d0630de4e23ae804dcc08fb6f861dc37d"},{"url":"https://git.kernel.org/stable/c/16d8fd74dbfca0ea58645cd2fca13be10cae3cdd"}],"title":"wifi: rtl818x: Kill URBs before clearing tx status queue","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:40:19.561Z"}}]}}