{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-68729","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T10:30:51.028Z","datePublished":"2025-12-24T10:33:12.515Z","dateUpdated":"2026-05-11T21:52:12.750Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:52:12.750Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix MSDU buffer types handling in RX error path\n\nCurrently, packets received on the REO exception ring from\nunassociated peers are of MSDU buffer type, while the driver expects\nlink descriptor type packets. These packets are not parsed further due\nto a return check on packet type in ath12k_hal_desc_reo_parse_err(),\nbut the associated skb is not freed. This may lead to kernel\ncrashes and buffer leaks.\n\nHence to fix, update the RX error handler to explicitly drop\nMSDU buffer type packets received on the REO exception ring.\nThis prevents further processing of invalid packets and ensures\nstability in the RX error handling path.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/ath/ath12k/dp_rx.c","drivers/net/wireless/ath/ath12k/hal_rx.c"],"versions":[{"version":"d889913205cf7ebda905b1e62c5867ed4e39f6c2","lessThan":"5ff5a9d71cdc49c3400f30583a784ad0a17d01ec","status":"affected","versionType":"git"},{"version":"d889913205cf7ebda905b1e62c5867ed4e39f6c2","lessThan":"ab0554f51e5f2b9506e8a09e8accd02f00056729","status":"affected","versionType":"git"},{"version":"d889913205cf7ebda905b1e62c5867ed4e39f6c2","lessThan":"36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/ath/ath12k/dp_rx.c","drivers/net/wireless/ath/ath12k/hal_rx.c"],"versions":[{"version":"6.3","status":"affected"},{"version":"0","lessThan":"6.3","status":"unaffected","versionType":"semver"},{"version":"6.17.13","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18.2","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.17.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.18.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5ff5a9d71cdc49c3400f30583a784ad0a17d01ec"},{"url":"https://git.kernel.org/stable/c/ab0554f51e5f2b9506e8a09e8accd02f00056729"},{"url":"https://git.kernel.org/stable/c/36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981"}],"title":"wifi: ath12k: Fix MSDU buffer types handling in RX error path","x_generator":{"engine":"bippy-1.2.0"}}}}