CVE-2025-68738

Root

Cause The vulnerability resides in the Linux kernel's mt76 WiFi driver, specifically in the function mt7996_conf_tx(). When a virtual interface link does not yet have an assigned channel, mt7996_vif_link returns NULL. The original code incorrectly attempted to dereference this NULL pointer to store updated queue parameters, causing a null pointer dereference [1].

Exploitation

An attacker would need to trigger a scenario where a wireless link is configured without a channel assignment, such as during early association or certain reconfiguration events. This can be done locally by a user with sufficient privileges to manipulate network interfaces, or potentially via crafted management frames that cause the driver to process transmit queue configuration before the channel is fully established.

Impact

Successful exploitation results in a kernel NULL pointer dereference, leading to a system crash (denial of service). The vulnerability does not appear to allow arbitrary code execution, but it can reliably cause a panic, making the system unavailable.

Mitigation

The fix moves the storage of queue parameters into struct mt7996_vif_link so that settings can be saved and applied later when the channel becomes available, preventing the NULL dereference. The patch has been committed to the stable kernel tree [1]. Users should update to a kernel version containing this fix.