CVE-2025-40131

Vulnerability

Overview

The vulnerability resides in the Linux kernel's ath12k wireless driver, specifically in the ath12k_dp_mon_rx_deliver_msdu(). In monitor mode, RX frames bypass the regular RX descriptor path that normally sets rxcb->peer_id. As a result, the peer lookup fails because rxcb->peer_id is not updated with a valid value. This leads to a NULL peer pointer, and the link_id and link_valid fields in the RX status not being populated, triggering a WARN_ON in mac80211 when it receives a data frame from an associated station with an invalid link_id [1].

Exploitation

An attacker with the ability to inject or influence monitor mode RX frames on a system using the ath12k driver could trigger this condition. No authentication is required beyond network access to send frames that are captured in monitor mode. The bug is triggered during normal operation when the driver processes a received frame without a valid peer ID, causing the kernel to issue a warning.

Impact

The primary impact is a kernel WARN_ON, which can cause system instability or denial of service if the warning is treated as a panic (depending on kernel configuration). The warning indicates that the driver is not correctly associating frames with their peer, potentially leading to incorrect link metadata and affecting wireless functionality.

Mitigation

The fix is included in the Linux kernel stable tree. The patch replaces the use of rxcb->peer_id with ppduinfo->peer_id, which holds the correct peer ID for the received frame, ensuring proper peer lookup and link metadata update [1]. Users should update their kernel to a version containing this commit.