In the Linux kernel, the following vulnerability has been resolved:

wifi: rtl818x: Kill URBs before clearing tx status queue

In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
b_tx_status.queue. This change prevents callbacks from using already freed
skb due to anchor was not killed before freeing such skb.

BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]
Call Trace:
<IRQ>
rtl8187_tx_cb+0x116/0x150 [rtl8187]
__usb_hcd_giveback_urb+0x9d/0x120
usb_giveback_urb_bh+0xbb/0x140
process_one_work+0x19b/0x3c0
bh_worker+0x1a7/0x210
tasklet_action+0x10/0x30
handle_softirqs+0xf0/0x340
__irq_exit_rcu+0xcd/0xf0
common_interrupt+0x85/0xa0
</IRQ>

Tested on RTL8187BvE device.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Linux Subscribe
Linux Kernel Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories
Source ID Title
Debian DLA Debian DLA DLA-4327-1 linux security update
Debian DLA Debian DLA DLA-4328-1 linux-6.1 security update
EUVD EUVD EUVD-2025-26092 In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing b_tx_status.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb. BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211] Call Trace: <IRQ> rtl8187_tx_cb+0x116/0x150 [rtl8187] __usb_hcd_giveback_urb+0x9d/0x120 usb_giveback_urb_bh+0xbb/0x140 process_one_work+0x19b/0x3c0 bh_worker+0x1a7/0x210 tasklet_action+0x10/0x30 handle_softirqs+0xf0/0x340 __irq_exit_rcu+0xcd/0xf0 common_interrupt+0x85/0xa0 </IRQ> Tested on RTL8187BvE device. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Ubuntu USN Ubuntu USN USN-7879-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7879-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7880-1 Linux kernel (OEM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7879-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7909-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7879-4 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7909-2 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7909-3 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7910-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7909-4 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7910-2 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-7909-5 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-7933-1 Linux kernel (KVM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7934-1 Linux kernel (Azure) vulnerabilities
Ubuntu USN Ubuntu USN USN-7938-1 Linux kernel (Azure) vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/14ca6952691fa8cc91e7644512e6ff24a595283f cve-icon cve-icon
https://git.kernel.org/stable/c/16d8fd74dbfca0ea58645cd2fca13be10cae3cdd cve-icon cve-icon
https://git.kernel.org/stable/c/7858a95566f4ebf59524666683d2dcdba3fca968 cve-icon cve-icon
https://git.kernel.org/stable/c/789415771422f4fb9f444044f86ecfaec55df1bd cve-icon cve-icon
https://git.kernel.org/stable/c/81cfe34d0630de4e23ae804dcc08fb6f861dc37d cve-icon cve-icon
https://git.kernel.org/stable/c/8c767727f331fb9455b0f81daad832b5925688cb cve-icon cve-icon
https://git.kernel.org/stable/c/c51a45ad9070a6d296174fcbe5c466352836c12b cve-icon cve-icon
https://git.kernel.org/stable/c/c73c773b09e313278f9b960303a2809b8440bac6 cve-icon cve-icon
https://git.kernel.org/stable/c/e64732ebff9e24258e7326f07adbe2f2b990daf8 cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html cve-icon
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html cve-icon
https://lore.kernel.org/linux-cve-announce/2025081921-CVE-2025-38604-fd5d@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-38604 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-38604 cve-icon
History

Mon, 03 Nov 2025 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 28 Aug 2025 15:00:00 +0000

Type Values Removed Values Added
References

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Vendors & Products Linux
Linux linux Kernel

Wed, 20 Aug 2025 00:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 19 Aug 2025 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing b_tx_status.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb. BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211] Call Trace: <IRQ> rtl8187_tx_cb+0x116/0x150 [rtl8187] __usb_hcd_giveback_urb+0x9d/0x120 usb_giveback_urb_bh+0xbb/0x140 process_one_work+0x19b/0x3c0 bh_worker+0x1a7/0x210 tasklet_action+0x10/0x30 handle_softirqs+0xf0/0x340 __irq_exit_rcu+0xcd/0xf0 common_interrupt+0x85/0xa0 </IRQ> Tested on RTL8187BvE device. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Title wifi: rtl818x: Kill URBs before clearing tx status queue
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2025-11-03T17:40:19.561Z

Reserved: 2025-04-16T04:51:24.028Z

Link: CVE-2025-38604

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-19T17:15:38.647

Modified: 2025-11-03T18:16:31.173

Link: CVE-2025-38604

cve-icon Redhat

Severity : Important

Publid Date: 2025-08-19T00:00:00Z

Links: CVE-2025-38604 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-08-21T12:31:46Z

Weaknesses

No weakness.