{ "threat_severity" : "Low", "public_date" : "2025-02-27T00:00:00Z", "bugzilla" : { "description" : "kernel: wifi: brcmfmac: Check the return value of of_property_read_string_index()", "id" : "2348656", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348656" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: brcmfmac: Check the return value of of_property_read_string_index()\nSomewhen between 6.10 and 6.11 the driver started to crash on my\nMacBookPro14,3. The property doesn't exist and 'tmp' remains\nuninitialized, so we pass a random pointer to devm_kstrdup().\nThe crash I am getting looks like this:\nBUG: unable to handle page fault for address: 00007f033c669379\nPF: supervisor read access in kernel mode\nPF: error_code(0x0001) - permissions violation\nPGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025\nOops: Oops: 0001 [#1] SMP PTI\nCPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1\nHardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024\nRIP: 0010:strlen+0x4/0x30\nCode: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc\nRSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202\nRAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001\nRDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379\nRBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a\nR10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8\nR13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30\nFS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n? __die+0x23/0x70\n? page_fault_oops+0x149/0x4c0\n? raw_spin_rq_lock_nested+0xe/0x20\n? sched_balance_newidle+0x22b/0x3c0\n? update_load_avg+0x78/0x770\n? exc_page_fault+0x6f/0x150\n? asm_exc_page_fault+0x26/0x30\n? __pfx_pci_conf1_write+0x10/0x10\n? strlen+0x4/0x30\ndevm_kstrdup+0x25/0x70\nbrcmf_of_probe+0x273/0x350 [brcmfmac]" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20095", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.8.1.el10_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21750\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21750\nhttps://lore.kernel.org/linux-cve-announce/2025022601-CVE-2025-21750-d10d@gregkh/T" ], "name" : "CVE-2025-21750", "csaw" : false }