CVE-2025-39864

Vulnerability

Overview

CVE-2025-39864 is a use-after-free vulnerability in the Linux kernel's cfg80211 wireless configuration subsystem. The bug resides in the cmp_bss() function, which is used to compare BSS (Basic Service Set) entries. The root cause is a quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly") that could lead to a use-after-free when cfg80211_update_known_bss() frees beacon frame elements that are still referenced via the hidden_beacon_bss pointer [1][3][4].

Exploitation

An attacker with a CVSS v3.1 base score of 7.8, the vulnerability is classified as High severity. The attack vector is local (AV:L), requires low complexity (AC:L), and no privileges (PR:N), but user interaction is required (UI:R). An attacker would need to send specially crafted Wi-Fi management frames to trigger the use-after-free condition. The vulnerability affects the Linux kernel and, by extension, products that incorporate it, such as Siemens SIMATIC CN 4100 devices running all versions before V5.0 [1].

Impact

Successful exploitation could allow an attacker to achieve arbitrary code execution in kernel context, leading to a complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). The use-after-free can be leveraged to corrupt kernel memory and potentially escalate privileges from a local user to root [1].

Mitigation

The fix is included in the Linux kernel stable releases, as referenced in commits a8bb681e879c and 5b7ae04969f [3][4]. Users should apply the latest kernel updates. For Siemens SIMATIC CN 4100, upgrading to version V5.0 or later addresses this vulnerability [1]. No workarounds are documented.