{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: ath12k: fix uaf in ath12k_core_init()",
    "id" : "2376076",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2376076"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: ath12k: fix uaf in ath12k_core_init()\nWhen the execution of ath12k_core_hw_group_assign() or\nath12k_core_hw_group_create() fails, the registered notifier chain is not\nunregistered properly. Its memory is freed after rmmod, which may trigger\nto a use-after-free (UAF) issue if there is a subsequent access to this\nnotifier chain.\nFixes the issue by calling ath12k_core_panic_notifier_unregister() in\nfailure cases.\nCall trace:\nnotifier_chain_register+0x4c/0x1f0 (P)\natomic_notifier_chain_register+0x38/0x68\nath12k_core_init+0x50/0x4e8 [ath12k]\nath12k_pci_probe+0x5f8/0xc28 [ath12k]\npci_device_probe+0xbc/0x1a8\nreally_probe+0xc8/0x3a0\n__driver_probe_device+0x84/0x1b0\ndriver_probe_device+0x44/0x130\n__driver_attach+0xcc/0x208\nbus_for_each_dev+0x84/0x100\ndriver_attach+0x2c/0x40\nbus_add_driver+0x130/0x260\ndriver_register+0x70/0x138\n__pci_register_driver+0x68/0x80\nath12k_pci_init+0x30/0x68 [ath12k]\nath12k_init+0x28/0x78 [ath12k]\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3" ],
  "statement" : "The vulnerability is classified as a use-after-free in the ath12k_core_init() function. It occurs when the notifier chain is not properly unregistered upon initialization failure, potentially leading to kernel crashes upon later access. For the CVSS the Privileges Required (PR) metric is set to High, as exploitation requires the ability to load and unload kernel modules (e.g., insmod/rmmod), which is restricted to privileged users with CAP_SYS_MODULE or root access. The bug is relevant only for the latest version of Red Hat Enterprise Linux 9 (and newer), because in earlier versions the Linux kernel config option CONFIG_ATH12K was disabled.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38116\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38116\nhttps://lore.kernel.org/linux-cve-announce/2025070325-CVE-2025-38116-1d80@gregkh/T" ],
  "name" : "CVE-2025-38116",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module ath12k from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}