{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-37944", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.972Z", "datePublished": "2025-05-20T15:58:20.211Z", "dateUpdated": "2025-05-26T05:24:15.108Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:24:15.108Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process\n\nCurrently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry\nto fetch the next entry from the destination ring. This is incorrect because\nath12k_hal_srng_src_get_next_entry is intended for source rings, not destination\nrings. This leads to invalid entry fetches, causing potential data corruption or\ncrashes due to accessing incorrect memory locations. This happens because the\nsource ring and destination ring have different handling mechanisms and using\nthe wrong function results in incorrect pointer arithmetic and ring management.\n\nTo fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with\nath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures\nthat the correct function is used for fetching entries from the destination\nring, preventing invalid memory accesses.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath12k/dp_mon.c"], "versions": [{"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "2c512f2eadabb1e80816116894ffaf7d802a944e", "status": "affected", "versionType": "git"}, {"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "ab7edf42ce800eb34d2f73dd7271b826661a06a5", "status": "affected", "versionType": "git"}, {"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "b6a3b2b2cead103089d3bb7a57d8209bdfa5399d", "status": "affected", "versionType": "git"}, {"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "298f0aea5cb32b5038f991f5db201a0fcbb9a31b", "status": "affected", "versionType": "git"}, {"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "63fdc4509bcf483e79548de6bc08bf3c8e504bb3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath12k/dp_mon.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.88", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.25", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.12", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.4", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.6.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.12.25"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.13.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.14.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.15"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2c512f2eadabb1e80816116894ffaf7d802a944e"}, {"url": "https://git.kernel.org/stable/c/ab7edf42ce800eb34d2f73dd7271b826661a06a5"}, {"url": "https://git.kernel.org/stable/c/b6a3b2b2cead103089d3bb7a57d8209bdfa5399d"}, {"url": "https://git.kernel.org/stable/c/298f0aea5cb32b5038f991f5db201a0fcbb9a31b"}, {"url": "https://git.kernel.org/stable/c/63fdc4509bcf483e79548de6bc08bf3c8e504bb3"}], "title": "wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process\n\nCurrently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry\nto fetch the next entry from the destination ring. This is incorrect because\nath12k_hal_srng_src_get_next_entry is intended for source rings, not destination\nrings. This leads to invalid entry fetches, causing potential data corruption or\ncrashes due to accessing incorrect memory locations. This happens because the\nsource ring and destination ring have different handling mechanisms and using\nthe wrong function results in incorrect pointer arithmetic and ring management.\n\nTo fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with\nath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures\nthat the correct function is used for fetching entries from the destination\nring, preventing invalid memory accesses.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"}], "id": "CVE-2025-37944", "lastModified": "2025-05-21T20:24:58.133", "metrics": {}, "published": "2025-05-20T16:15:32.310", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/298f0aea5cb32b5038f991f5db201a0fcbb9a31b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2c512f2eadabb1e80816116894ffaf7d802a944e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/63fdc4509bcf483e79548de6bc08bf3c8e504bb3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab7edf42ce800eb34d2f73dd7271b826661a06a5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b6a3b2b2cead103089d3bb7a57d8209bdfa5399d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process", "id": "2367749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367749"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process\nCurrently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry\nto fetch the next entry from the destination ring. This is incorrect because\nath12k_hal_srng_src_get_next_entry is intended for source rings, not destination\nrings. This leads to invalid entry fetches, causing potential data corruption or\ncrashes due to accessing incorrect memory locations. This happens because the\nsource ring and destination ring have different handling mechanisms and using\nthe wrong function results in incorrect pointer arithmetic and ring management.\nTo fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with\nath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures\nthat the correct function is used for fetching entries from the destination\nring, preventing invalid memory accesses.\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1\nTested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3"], "name": "CVE-2025-37944", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-37944\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37944\nhttps://lore.kernel.org/linux-cve-announce/2025052044-CVE-2025-37944-5e94@gregkh/T"], "statement": "A logic flaw in ath12k_dp_mon_srng_process() led to the use of a source-ring function (ath12k_hal_srng_src_get_next_entry) instead of the correct destination-ring one, which could result in invalid memory access and possible kernel crashes. Exploiting this requires root or CAP_NET_ADMIN privileges to trigger packet monitoring on affected Qualcomm Wi-Fi hardware.", "threat_severity": "Moderate"}