PT-2025-22180 · Linux+5 · Linux Kernel+5
Published
2025-04-25
·
Updated
2026-05-22
·
CVE-2025-37918
CVSS v2.0
6.1
Medium
| Vector | AV:A/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
A NULL pointer dereference can occur in
skb dequeue() when processing a QCA firmware crash dump on WCN7851 (0489:e0f3). The issue stems from handle dump pkt qca() returning 0 even when a dump packet is successfully processed, leading to premature kfree() of the skb. Later, hci devcd rx() attempts to dequeue the same skb from the dump queue, resulting in a NULL pointer dereference. This issue is related to the handling of dump packets in the Bluetooth functionality of the Linux kernel.Recommendations
To resolve this issue, the following steps should be taken:
- Update the
handle dump pkt qca()function to return 0 on success and negativeerrnoon failure, consistent with kernel conventions. - Split dump packet detection into separate functions for ACL and event packets for better structure and readability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
DoS
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu