CVE-2025-68729

Vulnerability

Overview

A flaw was discovered in the Linux kernel's ath12k wireless driver, specifically in the handling of receive (RX) error path for frames arriving on the REO exception ring. The driver expected only link descriptor type packets, but under certain conditions—such as when receiving frames from unassociated peers—the ring delivers packets of MSDU buffer type. These packets were not parsed due to a type check in ath12k_hal_desc_reo_parse_err(), but the associated socket buffer (skb) was not freed [1].

Exploitation

The vulnerability can be triggered without authentication because it involves frames from unassociated peers. An attacker within wireless range could send crafted packets that cause the driver to allocate buffer descriptors that are then leaked. No special privileges or network position beyond proximity to the victim device is required. The kernel continues to operate with a memory leak, and repeated exploitation could exhaust system memory or corrupt kernel structures, leading to a crash.

Impact

If exploited, an attacker could cause a denial of service (DoS) by repeatedly triggering the leak, resulting in kernel memory exhaustion and system instability. The issue may also lead to kernel crashes due to use-after-free or null pointer dereferences when the freed memory is eventually reused. The impact is local to the affected kernel, but the attack vector is remote over Wi-Fi, making it a high-severity issue in environments where untrusted wireless clients connect.

Mitigation

The fix has been applied in the Linux kernel stable tree as commit ab0554f51e5f [1]. The update adds an explicit check in the RX error handler to drop MSDU buffer type packets received on the REO exception ring, ensuring buffers are freed and preventing further processing. Users should apply this kernel patch or update to a kernel version containing the fix (e.g., 6.x.y with backport). No workaround is available without patching.