{"id":"AZL-66377","summary":"CVE-2025-38513 affecting package kernel for versions less than 6.6.104.2-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n\nThere is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For\nexample, the following is possible:\n\n    \tT0\t\t\t    \t\tT1\nzd_mac_tx_to_dev()\n  /* len == skb_queue_len(q) */\n  while (len \u003e ZD_MAC_MAX_ACK_WAITERS) {\n\n\t\t\t\t\t  filter_ack()\n\t\t\t\t\t    spin_lock_irqsave(&q-\u003elock, flags);\n\t\t\t\t\t    /* position == skb_queue_len(q) */\n\t\t\t\t\t    for (i=1; i\u003cposition; i++)\n\t\t\t\t    \t      skb = __skb_dequeue(q)\n\n\t\t\t\t\t    if (mac-\u003etype == NL80211_IFTYPE_AP)\n\t\t\t\t\t      skb = __skb_dequeue(q);\n\t\t\t\t\t    spin_unlock_irqrestore(&q-\u003elock, flags);\n\n    skb_dequeue() -\u003e NULL\n\nSince there is a small gap between checking skb queue length and skb being\nunconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.\nThen the pointer is passed to zd_mac_tx_status() where it is dereferenced.\n\nIn order to avoid potential NULL pointer dereference due to situations like\nabove, check if skb is not NULL before passing it to zd_mac_tx_status().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","modified":"2026-04-01T05:21:46.260504Z","published":"2025-08-16T11:15:44Z","upstream":["CVE-2025-38513"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38513"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.104.2-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66377.json"}}],"schema_version":"1.7.5"}