CVE-2025-39991

Root

Cause

In the Linux kernel's ath11k Wi-Fi driver, the function ath11k_qmi_m3_load() can trigger a NULL pointer dereference. The bug arises because when the driver's firmware data (ab->fw.m3_data) is non-NULL, the fw pointer remains NULL. Later, if m3_m3_mem allocation fails, the code attempts to pass fw->size to ath11k_err(), leading to a NULL dereference. The correct fix is to use m3_len instead of referencing fw->size` [1][2].

Exploitation

Surface

This vulnerability is local, affecting systems running a vulnerable version of the Linux kernel with the ath11k driver loaded. No authentication is explicitly required to trigger the bug under normal driver initialization paths, though the crash occurs during firmware loading which typically happens at boot or module insertion. The flaw was discovered by the Linux Verification Center using the SVACE static analysis tool [1][2].

Impact

A successful exploit of this NULL pointer dereference results in a kernel panic (denial of service). The attacker gains no code execution or privilege escalation, but the crash can render the system unavailable. The impact is limited to availability [1][2].

Mitigation

Patches have been applied to the Linux kernel stable branches. Users should update to a kernel version containing the fix commit 3fd2ef2ae2b5 (or later). No workaround is available other than applying the kernel update [1][2].