CVE-2025-38513

In the Linux kernel, the following vulnerability has been resolved:

wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()

There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible:

	T0			    		T1

zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) {

				  filter_ack()
				    spin_lock_irqsave(&amp;q-&gt;lock, flags);
				    /* position == skb_queue_len(q) */
				    for (i=1; i&lt;position; i++)
			    	      skb = __skb_dequeue(q)

				    if (mac-&gt;type == NL80211_IFTYPE_AP)
				      skb = __skb_dequeue(q);
				    spin_unlock_irqrestore(&amp;q-&gt;lock, flags);

skb_dequeue() -&gt; NULL

Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.

In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Published: Aug 16, 2025
Updated: Jan 8, 2026
CVE: CVE-2025-38513
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-476

Affected Software
References

Software	From	Fixed in
linux / linux_kernel	2.6.25	5.4.296
linux / linux_kernel	5.5	5.10.240
linux / linux_kernel	5.11	5.15.189
linux / linux_kernel	5.16	6.1.146
linux / linux_kernel	6.2	6.6.99
linux / linux_kernel	6.7	6.12.39
linux / linux_kernel	6.13	6.15.7
linux / linux_kernel	6.16-rc1	6.16-rc1.x
linux / linux_kernel	6.16-rc2	6.16-rc2.x
linux / linux_kernel	6.16-rc3	6.16-rc3.x
linux / linux_kernel	6.16-rc4	6.16-rc4.x
linux / linux_kernel	6.16-rc5	6.16-rc5.x
debian / debian_linux	11.0	11.0.x

Vulnerability Database

318,756

CVE-2025-38513

Deep Security Visibility Without the Complexity