{"id":"CVE-2025-38604","summary":"wifi: rtl818x: Kill URBs before clearing tx status queue","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Kill URBs before clearing tx status queue\n\nIn rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing\nb_tx_status.queue. This change prevents callbacks from using already freed\nskb due to anchor was not killed before freeing such skb.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]\n Call Trace:\n  \u003cIRQ\u003e\n  rtl8187_tx_cb+0x116/0x150 [rtl8187]\n  __usb_hcd_giveback_urb+0x9d/0x120\n  usb_giveback_urb_bh+0xbb/0x140\n  process_one_work+0x19b/0x3c0\n  bh_worker+0x1a7/0x210\n  tasklet_action+0x10/0x30\n  handle_softirqs+0xf0/0x340\n  __irq_exit_rcu+0xcd/0xf0\n  common_interrupt+0x85/0xa0\n  \u003c/IRQ\u003e\n\nTested on RTL8187BvE device.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.","modified":"2026-04-16T00:01:14.220963986Z","published":"2025-08-19T17:03:43.358Z","related":["SUSE-SU-2025:03272-1","SUSE-SU-2025:03290-1","SUSE-SU-2025:03301-1","SUSE-SU-2025:03382-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03614-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20653-1","SUSE-SU-2025:20669-1","SUSE-SU-2025:20739-1","SUSE-SU-2025:20756-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38604.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/14ca6952691fa8cc91e7644512e6ff24a595283f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/16d8fd74dbfca0ea58645cd2fca13be10cae3cdd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7858a95566f4ebf59524666683d2dcdba3fca968"},{"type":"WEB","url":"https://git.kernel.org/stable/c/789415771422f4fb9f444044f86ecfaec55df1bd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/81cfe34d0630de4e23ae804dcc08fb6f861dc37d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8c767727f331fb9455b0f81daad832b5925688cb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c51a45ad9070a6d296174fcbe5c466352836c12b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c73c773b09e313278f9b960303a2809b8440bac6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e64732ebff9e24258e7326f07adbe2f2b990daf8"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38604.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38604"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c1db52b9d27ee6e15a7136e67e4a21dc916cd07f"},{"fixed":"e64732ebff9e24258e7326f07adbe2f2b990daf8"},{"fixed":"789415771422f4fb9f444044f86ecfaec55df1bd"},{"fixed":"c73c773b09e313278f9b960303a2809b8440bac6"},{"fixed":"8c767727f331fb9455b0f81daad832b5925688cb"},{"fixed":"14ca6952691fa8cc91e7644512e6ff24a595283f"},{"fixed":"7858a95566f4ebf59524666683d2dcdba3fca968"},{"fixed":"c51a45ad9070a6d296174fcbe5c466352836c12b"},{"fixed":"81cfe34d0630de4e23ae804dcc08fb6f861dc37d"},{"fixed":"16d8fd74dbfca0ea58645cd2fca13be10cae3cdd"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38604.json"}}],"schema_version":"1.7.5"}