CVE-2025-40066

In the Linux kernel's mt76 wireless driver, specifically for MediaTek MT7996 chipsets, a vulnerability (CVE-2025-40066) existed in the mt7996_mac_sta_add_links() function. The issue was that the code called mt7996_mac_sta_init_link() without first verifying that the phy pointer was non-NULL. This oversight could lead to a NULL pointer dereference when the driver attempted to use the phy structure during station link initialization. The fix reorders the logic to check the phy pointer explicitly before proceeding with mt7996_mac_sta_init_link(), preventing the dereference condition [1].

To exploit this vulnerability, an attacker would need to trigger a code path where a station (STA) is added to a link without a valid phy context, possibly during a race condition or under specific driver state transitions. The functionality in mt7996_mac_sta_add_links is called from the kernel's station addition callback, which typically requires local access or interaction with the Wi-Fi interface. No authentication is bypassed, but the crash can be induced by manipulating driver operations in a way that causes the phy pointer to be NULL when not expected.

The impact of successfully triggering the NULL pointer dereference is a kernel crash (oops), leading to denial of service on the affected system. The vulnerability does not directly allow code execution or privilege escalation, but it can cause system instability or a system hang, potentially affecting reliability for Wi-Fi clients or access points using this driver [1].

The vulnerability was fixed in the Linux kernel stable tree by commit 2e671536c1c3c7bcad95d408a4ab42e2e54d1882, which was applied as a clean and minimal patch. Users are advised to update their kernel to a version that includes this commit or apply the patch to their distribution's kernel. No workaround other than updating is documented, and the vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog [1].