CVE-2025-68182

Bug

In the Linux kernel's iwlwifi driver, function iwl_mld_remove_link() frees the link structure via kfree_rcu(link, rcu_head) and then immediately dereferences link->fw_id to use it after the memory has been freed. This creates a potential use-after-free condition, where the freed memory could be reallocated by another thread, leading to corruption or exploitation.

Exploitation

The vulnerability is triggered during driver link teardown operations. An attacker would need local access to the system and the ability to influence wireless operations or trigger the specific code path. The bug is in kernel-level code, so no user interaction beyond normal usage is required, but it is not directly exploitable from user space without additional conditions.

Impact

A use-after-free can result in memory corruption, system crashes, or potentially arbitrary code execution at the kernel level. An attacker who successfully exploits this could gain elevated privileges, cause denial of service, or bypass security mechanisms.

Mitigation

The fix, committed to the kernel stable tree [1], saves link->fw_id into a local variable before freeing link, eliminating the use-after-free. The patch is included in mainline and stable kernel updates. Users should apply the latest kernel updates to address this vulnerability.