{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-21729", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.755Z", "datePublished": "2025-02-27T02:07:34.711Z", "dateUpdated": "2026-05-11T21:05:18.050Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:05:18.050Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\n\nThe rtwdev->scanning flag isn't protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\n Workqueue: events cfg80211_conn_work [cfg80211]\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\n Call Trace:\n <TASK>\n ? show_regs+0x61/0x73\n ? __die_body+0x20/0x73\n ? die_addr+0x4f/0x7b\n ? exc_general_protection+0x191/0x1db\n ? asm_exc_general_protection+0x27/0x30\n ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n ? do_raw_spin_lock+0x75/0xdb\n ? __pfx_do_raw_spin_lock+0x10/0x10\n rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n ? _raw_spin_unlock+0xe/0x24\n ? __mutex_lock.constprop.0+0x40c/0x471\n ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n ? __mutex_lock_slowpath+0x13/0x1f\n ? mutex_lock+0xa2/0xdc\n ? __pfx_mutex_lock+0x10/0x10\n rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\n rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\n ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\n ieee80211_prep_connection+0x858/0x899 [mac80211]\n ieee80211_mgd_auth+0xbea/0xdde [mac80211]\n ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n ? cfg80211_find_elem+0x15/0x29 [cfg80211]\n ? is_bss+0x1b7/0x1d7 [cfg80211]\n ieee80211_auth+0x18/0x27 [mac80211]\n cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\n cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n ? __kasan_check_read+0x11/0x1f\n ? psi_group_change+0x8bc/0x944\n ? __kasan_check_write+0x14/0x22\n ? mutex_lock+0x8e/0xdc\n ? __pfx_mutex_lock+0x10/0x10\n ? __pfx___radix_tree_lookup+0x10/0x10\n cfg80211_conn_work+0x245/0x34d [cfg80211]\n ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n ? update_cfs_rq_load_avg+0x3bc/0x3d7\n ? sched_clock_noinstr+0x9/0x1a\n ? sched_clock+0x10/0x24\n ? sched_clock_cpu+0x7e/0x42e\n ? newidle_balance+0x796/0x937\n ? __pfx_sched_clock_cpu+0x10/0x10\n ? __pfx_newidle_balance+0x10/0x10\n ? __kasan_check_read+0x11/0x1f\n ? psi_group_change+0x8bc/0x944\n ? _raw_spin_unlock+0xe/0x24\n ? raw_spin_rq_unlock+0x47/0x54\n ? raw_spin_rq_unlock_irq+0x9/0x1f\n ? finish_task_switch.isra.0+0x347/0x586\n ? __schedule+0x27bf/0x2892\n ? mutex_unlock+0x80/0xd0\n ? do_raw_spin_lock+0x75/0xdb\n ? __pfx___schedule+0x10/0x10\n process_scheduled_works+0x58c/0x821\n worker_thread+0x4c7/0x586\n ? __kasan_check_read+0x11/0x1f\n kthread+0x285/0x294\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x29/0x6f\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n </TASK>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtw89/mac80211.c"], "versions": [{"version": "895907779752606f6a4795abfc008509f8e38314", "lessThan": "2403cb3c235d5e339b580cc3a825493769fadca8", "status": "affected", "versionType": "git"}, {"version": "895907779752606f6a4795abfc008509f8e38314", "lessThan": "5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67", "status": "affected", "versionType": "git"}, {"version": "895907779752606f6a4795abfc008509f8e38314", "lessThan": "ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtw89/mac80211.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.13", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.2", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.13.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2403cb3c235d5e339b580cc3a825493769fadca8"}, {"url": "https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67"}, {"url": "https://git.kernel.org/stable/c/ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c"}], "title": "wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21729", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-27T18:14:34.158732Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T18:22:29.958Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21729", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-27T18:14:34.158732Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-27T18:14:35.363Z"}}], "cna": {"title": "wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "895907779752606f6a4795abfc008509f8e38314", "lessThan": "2403cb3c235d5e339b580cc3a825493769fadca8", "versionType": "git"}, {"status": "affected", "version": "895907779752606f6a4795abfc008509f8e38314", "lessThan": "5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67", "versionType": "git"}, {"status": "affected", "version": "895907779752606f6a4795abfc008509f8e38314", "lessThan": "ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c", "versionType": "git"}], "programFiles": ["drivers/net/wireless/realtek/rtw89/mac80211.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.18"}, {"status": "unaffected", "version": "0", "lessThan": "5.18", "versionType": "semver"}, {"status": "unaffected", "version": "6.12.13", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.13.2", "versionType": "semver", "lessThanOrEqual": "6.13.*"}, {"status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/wireless/realtek/rtw89/mac80211.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/2403cb3c235d5e339b580cc3a825493769fadca8"}, {"url": "https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67"}, {"url": "https://git.kernel.org/stable/c/ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\n\nThe rtwdev->scanning flag isn't protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\n Workqueue: events cfg80211_conn_work [cfg80211]\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\n Call Trace:\n <TASK>\n ? show_regs+0x61/0x73\n ? __die_body+0x20/0x73\n ? die_addr+0x4f/0x7b\n ? exc_general_protection+0x191/0x1db\n ? asm_exc_general_protection+0x27/0x30\n ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n ? do_raw_spin_lock+0x75/0xdb\n ? __pfx_do_raw_spin_lock+0x10/0x10\n rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n ? _raw_spin_unlock+0xe/0x24\n ? __mutex_lock.constprop.0+0x40c/0x471\n ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n ? __mutex_lock_slowpath+0x13/0x1f\n ? mutex_lock+0xa2/0xdc\n ? __pfx_mutex_lock+0x10/0x10\n rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\n rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\n ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\n ieee80211_prep_connection+0x858/0x899 [mac80211]\n ieee80211_mgd_auth+0xbea/0xdde [mac80211]\n ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n ? cfg80211_find_elem+0x15/0x29 [cfg80211]\n ? is_bss+0x1b7/0x1d7 [cfg80211]\n ieee80211_auth+0x18/0x27 [mac80211]\n cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\n cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n ? __kasan_check_read+0x11/0x1f\n ? psi_group_change+0x8bc/0x944\n ? __kasan_check_write+0x14/0x22\n ? mutex_lock+0x8e/0xdc\n ? __pfx_mutex_lock+0x10/0x10\n ? __pfx___radix_tree_lookup+0x10/0x10\n cfg80211_conn_work+0x245/0x34d [cfg80211]\n ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n ? update_cfs_rq_load_avg+0x3bc/0x3d7\n ? sched_clock_noinstr+0x9/0x1a\n ? sched_clock+0x10/0x24\n ? sched_clock_cpu+0x7e/0x42e\n ? newidle_balance+0x796/0x937\n ? __pfx_sched_clock_cpu+0x10/0x10\n ? __pfx_newidle_balance+0x10/0x10\n ? __kasan_check_read+0x11/0x1f\n ? psi_group_change+0x8bc/0x944\n ? _raw_spin_unlock+0xe/0x24\n ? raw_spin_rq_unlock+0x47/0x54\n ? raw_spin_rq_unlock_irq+0x9/0x1f\n ? finish_task_switch.isra.0+0x347/0x586\n ? __schedule+0x27bf/0x2892\n ? mutex_unlock+0x80/0xd0\n ? do_raw_spin_lock+0x75/0xdb\n ? __pfx___schedule+0x10/0x10\n process_scheduled_works+0x58c/0x821\n worker_thread+0x4c7/0x586\n ? __kasan_check_read+0x11/0x1f\n kthread+0x285/0x294\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x29/0x6f\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n </TASK>"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12.13", "versionStartIncluding": "5.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.13.2", "versionStartIncluding": "5.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.14", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:05:18.050Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21729", "state": "PUBLISHED", "dateUpdated": "2026-05-11T21:05:18.050Z", "dateReserved": "2024-12-29T08:45:45.755Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-02-27T02:07:34.711Z", "assignerShortName": "Linux"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8059611-D9EB-48F5-BBD4-DBA24A7972A1", "versionEndExcluding": "6.12.13", "versionStartIncluding": "5.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D4116B1-1BFD-4F23-BA84-169CC05FC5A3", "versionEndExcluding": "6.13.2", "versionStartIncluding": "6.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\n\nThe rtwdev->scanning flag isn't protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE\n Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\n Workqueue: events cfg80211_conn_work [cfg80211]\n RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\n RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\n RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\n RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\n R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\n R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\n Call Trace:\n <TASK>\n ? show_regs+0x61/0x73\n ? __die_body+0x20/0x73\n ? die_addr+0x4f/0x7b\n ? exc_general_protection+0x191/0x1db\n ? asm_exc_general_protection+0x27/0x30\n ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n ? do_raw_spin_lock+0x75/0xdb\n ? __pfx_do_raw_spin_lock+0x10/0x10\n rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n ? _raw_spin_unlock+0xe/0x24\n ? __mutex_lock.constprop.0+0x40c/0x471\n ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n ? __mutex_lock_slowpath+0x13/0x1f\n ? mutex_lock+0xa2/0xdc\n ? __pfx_mutex_lock+0x10/0x10\n rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\n rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\n ieee80211_scan_cancel+0x468/0x4d0 [mac80211]\n ieee80211_prep_connection+0x858/0x899 [mac80211]\n ieee80211_mgd_auth+0xbea/0xdde [mac80211]\n ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n ? cfg80211_find_elem+0x15/0x29 [cfg80211]\n ? is_bss+0x1b7/0x1d7 [cfg80211]\n ieee80211_auth+0x18/0x27 [mac80211]\n cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\n cfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n ? __kasan_check_read+0x11/0x1f\n ? psi_group_change+0x8bc/0x944\n ? __kasan_check_write+0x14/0x22\n ? mutex_lock+0x8e/0xdc\n ? __pfx_mutex_lock+0x10/0x10\n ? __pfx___radix_tree_lookup+0x10/0x10\n cfg80211_conn_work+0x245/0x34d [cfg80211]\n ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n ? update_cfs_rq_load_avg+0x3bc/0x3d7\n ? sched_clock_noinstr+0x9/0x1a\n ? sched_clock+0x10/0x24\n ? sched_clock_cpu+0x7e/0x42e\n ? newidle_balance+0x796/0x937\n ? __pfx_sched_clock_cpu+0x10/0x10\n ? __pfx_newidle_balance+0x10/0x10\n ? __kasan_check_read+0x11/0x1f\n ? psi_group_change+0x8bc/0x944\n ? _raw_spin_unlock+0xe/0x24\n ? raw_spin_rq_unlock+0x47/0x54\n ? raw_spin_rq_unlock_irq+0x9/0x1f\n ? finish_task_switch.isra.0+0x347/0x586\n ? __schedule+0x27bf/0x2892\n ? mutex_unlock+0x80/0xd0\n ? do_raw_spin_lock+0x75/0xdb\n ? __pfx___schedule+0x10/0x10\n process_scheduled_works+0x58c/0x821\n worker_thread+0x4c7/0x586\n ? __kasan_check_read+0x11/0x1f\n kthread+0x285/0x294\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x29/0x6f\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n </TASK>"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: rtw89: se corrige la ejecuci\u00f3n entre cancel_hw_scan y la finalizaci\u00f3n de hw_scan El indicador rtwdev-&gt;scanning no est\u00e1 protegido por mutex originalmente, por lo que cancel_hw_scan puede pasar la condici\u00f3n, pero de repente la finalizaci\u00f3n de hw_scan desconfigura el indicador y llama a ieee80211_scan_completed() que liberar\u00e1 local-&gt;hw_scan_req. Luego, cancel_hw_scan lanza null-ptr-deref y use-after-free. Arr\u00e9glelo moviendo la condici\u00f3n de verificaci\u00f3n a donde est\u00e9 protegida por mutex. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE Hardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019 Workqueue: events cfg80211_conn_work [cfg80211] RIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] Code: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d RSP: 0018:ffff88811fd9f068 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001 RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089 RBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960 R13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0 Call Trace: ? show_regs+0x61/0x73 ? __die_body+0x20/0x73 ? die_addr+0x4f/0x7b ? exc_general_protection+0x191/0x1db ? asm_exc_general_protection+0x27/0x30 ? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core] ? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core] ? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core] ? do_raw_spin_lock+0x75/0xdb ? __pfx_do_raw_spin_lock+0x10/0x10 rtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core] ? _raw_spin_unlock+0xe/0x24 ? __mutex_lock.constprop.0+0x40c/0x471 ? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core] ? __mutex_lock_slowpath+0x13/0x1f ? mutex_lock+0xa2/0xdc ? __pfx_mutex_lock+0x10/0x10 rtw89_hw_scan_abort+0x58/0xb7 [rtw89_core] rtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core] ieee80211_scan_cancel+0x468/0x4d0 [mac80211] ieee80211_prep_connection+0x858/0x899 [mac80211] ieee80211_mgd_auth+0xbea/0xdde [mac80211] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211] ? cfg80211_find_elem+0x15/0x29 [cfg80211] ? is_bss+0x1b7/0x1d7 [cfg80211] ieee80211_auth+0x18/0x27 [mac80211] cfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211] cfg80211_conn_do_work+0x410/0xb81 [cfg80211] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211] ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? __kasan_check_write+0x14/0x22 ? mutex_lock+0x8e/0xdc ? __pfx_mutex_lock+0x10/0x10 ? __pfx___radix_tree_lookup+0x10/0x10 cfg80211_conn_work+0x245/0x34d [cfg80211] ? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211] ? update_cfs_rq_load_avg+0x3bc/0x3d7 ? sched_clock_noinstr+0x9/0x1a ? sched_clock+0x10/0x24 ? sched_clock_cpu+0x7e/0x42e ? newidle_balance+0x796/0x937 ? __pfx_sched_clock_cpu+0x10/0x10 ? __pfx_newidle_balance+0x10/0x10 ? __kasan_check_read+0x11/0x1f ? psi_group_change+0x8bc/0x944 ? _raw_spin_unlock+0xe/0x24 ? raw_spin_rq_unlock+0x47/0x54 ? raw_spin_rq_unlock_irq+0x9/0x1f ? finish_task_switch.isra.0+0x347/0x586 ? __schedule+0x27bf/0x2892 ? mutex_unlock+0x80/0xd0 ? do_raw_spin_lock+0x75/0xdb ? __pfx___schedule+0x10/0x10 process_scheduled_works+0x58c/0x821 worker_thread+0x4c7/0x586 ? __kasan_check_read+0x11/0x1f kthread+0x285/0x294 ? __pfx_worker_thread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x6f ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 "}], "id": "CVE-2025-21729", "lastModified": "2025-03-24T18:57:27.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-02-27T02:15:16.637", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2403cb3c235d5e339b580cc3a825493769fadca8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5afcd6fcd1e1c1fd6bcc9a360c121d10eddade67"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ba4bb0402c60e945c4c396c51f0acac3c3e3ea5c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion", "id": "2348573", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348573"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: rtw89: fix race between cancel_hw_scan and hw_scan completion\nThe rtwdev->scanning flag isn't protected by mutex originally, so\ncancel_hw_scan can pass the condition, but suddenly hw_scan completion\nunset the flag and calls ieee80211_scan_completed() that will free\nlocal->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and\nuse-after-free. Fix it by moving the check condition to where\nprotected by mutex.\nKASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\nCPU: 2 PID: 6922 Comm: kworker/2:2 Tainted: G OE\nHardware name: LENOVO 2356AD1/2356AD1, BIOS G7ETB6WW (2.76 ) 09/10/2019\nWorkqueue: events cfg80211_conn_work [cfg80211]\nRIP: 0010:rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\nCode: 00 45 89 6c 24 1c 0f 85 23 01 00 00 48 8b 85 20 ff ff ff 48 8d\nRSP: 0018:ffff88811fd9f068 EFLAGS: 00010206\nRAX: dffffc0000000000 RBX: ffff88811fd9f258 RCX: 0000000000000001\nRDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000089\nRBP: ffff88811fd9f170 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff88811fd9f108 R11: 0000000000000000 R12: ffff88810e47f960\nR13: 0000000000000000 R14: 000000000000ffff R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8881d6f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007531dfca55b0 CR3: 00000001be296004 CR4: 00000000001706e0\nCall Trace:\n<TASK>\n? show_regs+0x61/0x73\n? __die_body+0x20/0x73\n? die_addr+0x4f/0x7b\n? exc_general_protection+0x191/0x1db\n? asm_exc_general_protection+0x27/0x30\n? rtw89_fw_h2c_scan_offload_be+0xc33/0x13c3 [rtw89_core]\n? rtw89_fw_h2c_scan_offload_be+0x458/0x13c3 [rtw89_core]\n? __pfx_rtw89_fw_h2c_scan_offload_be+0x10/0x10 [rtw89_core]\n? do_raw_spin_lock+0x75/0xdb\n? __pfx_do_raw_spin_lock+0x10/0x10\nrtw89_hw_scan_offload+0xb5e/0xbf7 [rtw89_core]\n? _raw_spin_unlock+0xe/0x24\n? __mutex_lock.constprop.0+0x40c/0x471\n? __pfx_rtw89_hw_scan_offload+0x10/0x10 [rtw89_core]\n? __mutex_lock_slowpath+0x13/0x1f\n? mutex_lock+0xa2/0xdc\n? __pfx_mutex_lock+0x10/0x10\nrtw89_hw_scan_abort+0x58/0xb7 [rtw89_core]\nrtw89_ops_cancel_hw_scan+0x120/0x13b [rtw89_core]\nieee80211_scan_cancel+0x468/0x4d0 [mac80211]\nieee80211_prep_connection+0x858/0x899 [mac80211]\nieee80211_mgd_auth+0xbea/0xdde [mac80211]\n? __pfx_ieee80211_mgd_auth+0x10/0x10 [mac80211]\n? cfg80211_find_elem+0x15/0x29 [cfg80211]\n? is_bss+0x1b7/0x1d7 [cfg80211]\nieee80211_auth+0x18/0x27 [mac80211]\ncfg80211_mlme_auth+0x3bb/0x3e7 [cfg80211]\ncfg80211_conn_do_work+0x410/0xb81 [cfg80211]\n? __pfx_cfg80211_conn_do_work+0x10/0x10 [cfg80211]\n? __kasan_check_read+0x11/0x1f\n? psi_group_change+0x8bc/0x944\n? __kasan_check_write+0x14/0x22\n? mutex_lock+0x8e/0xdc\n? __pfx_mutex_lock+0x10/0x10\n? __pfx___radix_tree_lookup+0x10/0x10\ncfg80211_conn_work+0x245/0x34d [cfg80211]\n? __pfx_cfg80211_conn_work+0x10/0x10 [cfg80211]\n? update_cfs_rq_load_avg+0x3bc/0x3d7\n? sched_clock_noinstr+0x9/0x1a\n? sched_clock+0x10/0x24\n? sched_clock_cpu+0x7e/0x42e\n? newidle_balance+0x796/0x937\n? __pfx_sched_clock_cpu+0x10/0x10\n? __pfx_newidle_balance+0x10/0x10\n? __kasan_check_read+0x11/0x1f\n? psi_group_change+0x8bc/0x944\n? _raw_spin_unlock+0xe/0x24\n? raw_spin_rq_unlock+0x47/0x54\n? raw_spin_rq_unlock_irq+0x9/0x1f\n? finish_task_switch.isra.0+0x347/0x586\n? __schedule+0x27bf/0x2892\n? mutex_unlock+0x80/0xd0\n? do_raw_spin_lock+0x75/0xdb\n? __pfx___schedule+0x10/0x10\nprocess_scheduled_works+0x58c/0x821\nworker_thread+0x4c7/0x586\n? __kasan_check_read+0x11/0x1f\nkthread+0x285/0x294\n? __pfx_worker_thread+0x10/0x10\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x29/0x6f\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1b/0x30\n</TASK>", "A flaw was found in the linux kernel. A race between cancel_hw_scan and hw_scan completion may lead to compromised availability."], "name": "CVE-2025-21729", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21729\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21729\nhttps://lore.kernel.org/linux-cve-announce/2025022648-CVE-2025-21729-24e3@gregkh/T"], "threat_severity": "Moderate"}

{}