CVE-2025-39991 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()

If ab->fw.m3_data points to data, then fw pointer remains null.
Further, if m3_mem is not allocated, then fw is dereferenced to be
passed to ath11k_err function.

Replace fw->size by m3_len.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/1f52119809b76d43759fc47da1cf708690b740a1
https://git.kernel.org/stable/c/3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782
https://git.kernel.org/stable/c/500fcc31e488d798937a23dbb1f62db46820c5b2
https://git.kernel.org/stable/c/888830b2cbc035838bebefe94502976da94332a5

History

Wed, 15 Oct 2025 08:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() If ab->fw.m3_data points to data, then fw pointer remains null. Further, if m3_mem is not allocated, then fw is dereferenced to be passed to ath11k_err function. Replace fw->size by m3_len. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Title		wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()
References		https://git.kernel.org/stable/c/1f52119809b76d43759fc47da1cf708690b740a1 https://git.kernel.org/stable/c/3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782 https://git.kernel.org/stable/c/500fcc31e488d798937a23dbb1f62db46820c5b2 https://git.kernel.org/stable/c/888830b2cbc035838bebefe94502976da94332a5

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-10-15T07:58:17.257Z

Updated: 2025-10-15T07:58:17.257Z

Reserved: 2025-04-16T07:20:57.150Z

Link: CVE-2025-39991

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-10-15T08:15:37.197

Modified: 2025-10-15T08:15:37.197

Link: CVE-2025-39991

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39991", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.150Z", "datePublished": "2025-10-15T07:58:17.257Z", "dateUpdated": "2025-10-15T07:58:17.257Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-15T07:58:17.257Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()\n\nIf ab->fw.m3_data points to data, then fw pointer remains null.\nFurther, if m3_mem is not allocated, then fw is dereferenced to be\npassed to ath11k_err function.\n\nReplace fw->size by m3_len.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath11k/qmi.c"], "versions": [{"version": "7db88b962f06a52af5e9a32971012e8f3427cec0", "lessThan": "1f52119809b76d43759fc47da1cf708690b740a1", "status": "affected", "versionType": "git"}, {"version": "7db88b962f06a52af5e9a32971012e8f3427cec0", "lessThan": "888830b2cbc035838bebefe94502976da94332a5", "status": "affected", "versionType": "git"}, {"version": "7db88b962f06a52af5e9a32971012e8f3427cec0", "lessThan": "500fcc31e488d798937a23dbb1f62db46820c5b2", "status": "affected", "versionType": "git"}, {"version": "7db88b962f06a52af5e9a32971012e8f3427cec0", "lessThan": "3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath11k/qmi.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.51", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.11", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.1", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.51"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.16.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.17.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.18-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1f52119809b76d43759fc47da1cf708690b740a1"}, {"url": "https://git.kernel.org/stable/c/888830b2cbc035838bebefe94502976da94332a5"}, {"url": "https://git.kernel.org/stable/c/500fcc31e488d798937a23dbb1f62db46820c5b2"}, {"url": "https://git.kernel.org/stable/c/3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782"}], "title": "wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()", "x_generator": {"engine": "bippy-1.2.0"}}}}