{"id":71723,"date":"2025-10-15T11:45:38","date_gmt":"2025-10-15T08:15:38","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-40000-wifi-rtw89-fix-use-after-free-in-rtw89_core_tx_kick_off_and_wait\/"},"modified":"2025-10-15T11:45:38","modified_gmt":"2025-10-15T08:15:38","slug":"cve-2025-40000-wifi-rtw89-fix-use-after-free-in-rtw89_core_tx_kick_off_and_wait","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-40000-wifi-rtw89-fix-use-after-free-in-rtw89_core_tx_kick_off_and_wait\/","title":{"rendered":"CVE-2025-40000 &#8211; wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()"},"content":{"rendered":"<p>CVE ID : CVE-2025-40000<\/p>\n<p>Published :  Oct. 15, 2025, 8:15 a.m. | 24\u00a0minutes ago<\/p>\n<p>Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()<\/p>\n<p>There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to<br \/>\naccess already freed skb_data:<\/p>\n<p> BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers\/net\/wireless\/realtek\/rtw89\/core.c:1110<\/p>\n<p> CPU: 6 UID: 0 PID: 41377 Comm: kworker\/u64:24 Not tainted  6.17.0-rc1+ #1 PREEMPT(lazy)<br \/>\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05\/23\/2025<br \/>\n Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]\n<p> Use-after-free write at 0x0000000020309d9d (in kfence-#251):<br \/>\n rtw89_core_tx_kick_off_and_wait drivers\/net\/wireless\/realtek\/rtw89\/core.c:1110<br \/>\n rtw89_core_scan_complete drivers\/net\/wireless\/realtek\/rtw89\/core.c:5338<br \/>\n rtw89_hw_scan_complete_cb drivers\/net\/wireless\/realtek\/rtw89\/fw.c:7979<br \/>\n rtw89_chanctx_proceed_cb drivers\/net\/wireless\/realtek\/rtw89\/chan.c:3165<br \/>\n rtw89_chanctx_proceed drivers\/net\/wireless\/realtek\/rtw89\/chan.h:141<br \/>\n rtw89_hw_scan_complete drivers\/net\/wireless\/realtek\/rtw89\/fw.c:8012<br \/>\n rtw89_mac_c2h_scanofld_rsp drivers\/net\/wireless\/realtek\/rtw89\/mac.c:5059<br \/>\n rtw89_fw_c2h_work drivers\/net\/wireless\/realtek\/rtw89\/fw.c:6758<br \/>\n process_one_work kernel\/workqueue.c:3241<br \/>\n worker_thread kernel\/workqueue.c:3400<br \/>\n kthread kernel\/kthread.c:463<br \/>\n ret_from_fork arch\/x86\/kernel\/process.c:154<br \/>\n ret_from_fork_asm arch\/x86\/entry\/entry_64.S:258<\/p>\n<p> kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache<\/p>\n<p> allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):<br \/>\n __alloc_skb net\/core\/skbuff.c:659<br \/>\n __netdev_alloc_skb net\/core\/skbuff.c:734<br \/>\n ieee80211_nullfunc_get net\/mac80211\/tx.c:5844<br \/>\n rtw89_core_send_nullfunc drivers\/net\/wireless\/realtek\/rtw89\/core.c:3431<br \/>\n rtw89_core_scan_complete drivers\/net\/wireless\/realtek\/rtw89\/core.c:5338<br \/>\n rtw89_hw_scan_complete_cb drivers\/net\/wireless\/realtek\/rtw89\/fw.c:7979<br \/>\n rtw89_chanctx_proceed_cb drivers\/net\/wireless\/realtek\/rtw89\/chan.c:3165<br \/>\n rtw89_chanctx_proceed drivers\/net\/wireless\/realtek\/rtw89\/chan.c:3194<br \/>\n rtw89_hw_scan_complete drivers\/net\/wireless\/realtek\/rtw89\/fw.c:8012<br \/>\n rtw89_mac_c2h_scanofld_rsp drivers\/net\/wireless\/realtek\/rtw89\/mac.c:5059<br \/>\n rtw89_fw_c2h_work drivers\/net\/wireless\/realtek\/rtw89\/fw.c:6758<br \/>\n process_one_work kernel\/workqueue.c:3241<br \/>\n worker_thread kernel\/workqueue.c:3400<br \/>\n kthread kernel\/kthread.c:463<br \/>\n ret_from_fork arch\/x86\/kernel\/process.c:154<br \/>\n ret_from_fork_asm arch\/x86\/entry\/entry_64.S:258<\/p>\n<p> freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):<br \/>\n ieee80211_tx_status_skb net\/mac80211\/status.c:1117<br \/>\n rtw89_pci_release_txwd_skb drivers\/net\/wireless\/realtek\/rtw89\/pci.c:564<br \/>\n rtw89_pci_release_tx_skbs.isra.0 drivers\/net\/wireless\/realtek\/rtw89\/pci.c:651<br \/>\n rtw89_pci_release_tx drivers\/net\/wireless\/realtek\/rtw89\/pci.c:676<br \/>\n rtw89_pci_napi_poll drivers\/net\/wireless\/realtek\/rtw89\/pci.c:4238<br \/>\n __napi_poll net\/core\/dev.c:7495<br \/>\n net_rx_action net\/core\/dev.c:7557 net\/core\/dev.c:7684<br \/>\n handle_softirqs kernel\/softirq.c:580<br \/>\n do_softirq.part.0 kernel\/softirq.c:480<br \/>\n __local_bh_enable_ip kernel\/softirq.c:407<br \/>\n rtw89_pci_interrupt_threadfn drivers\/net\/wireless\/realtek\/rtw89\/pci.c:927<br \/>\n irq_thread_fn kernel\/irq\/manage.c:1133<br \/>\n irq_thread kernel\/irq\/manage.c:1257<br \/>\n kthread kernel\/kthread.c:463<br \/>\n ret_from_fork arch\/x86\/kernel\/process.c:154<br \/>\n ret_from_fork_asm arch\/x86\/entry\/entry_64.S:258<\/p>\n<p>It is a consequence of a race between the waiting and the signaling side<br \/>\nof the completion:<\/p>\n<p>            Waiting thread                            Completing thread<\/p>\n<p>rtw89_core_tx_kick_off_and_wait()<br \/>\n  rcu_assign_pointer(skb_data-&gt;wait, wait)<br \/>\n  \/* start waiting *\/<br \/>\n  wait_for_completion_timeout()<br \/>\n                                                rtw89_pci_tx_status()<br \/>\n                                                  rtw89_core_tx_wait_complete()<br \/>\n                                                    rcu_read_lock()<br \/>\n                                                    \/* signals completion and<\/p>\n<p>&#8212;truncated&#8212;<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-40000 Published : Oct. 15, 2025, 8:15 a.m. | 24\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers\/net\/wireless\/realtek\/rtw89\/core.c:1110 CPU: 6 UID: &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-71723","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=71723"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71723\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=71723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=71723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=71723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}