CVE-2025-38643

5.5

MEDIUM CVSS 3.1

wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()

Overview
Vulnerability Timeline

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Callers of wdev_chandef() must hold the wiphy mutex. But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes: WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985

INFO

Published Date :

Aug. 22, 2025, 4:15 p.m.

Last Modified :

Dec. 1, 2025, 7:14 p.m.

Remotely Exploit :

No

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected Products

The following products are affected by CVE-2025-38643 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product	Action
1	Linux	linux_kernel

: Total Affected Vendor : 1 | Products : 1

CVSS Scores

The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.

Score	Version	Severity	Vector	Exploitability Score	Impact Score	Source
	CVSS 3.1	MEDIUM				[email protected]

Solution

Update Linux kernel to resolve a race condition in cfg80211 due to missing lock.

Update the Linux kernel.
Apply the patch for cfg80211.
Ensure wiphy mutex is held by callers.
Add the missing lock to the worker.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-38643.

URL	Resource
https://git.kernel.org/stable/c/2c5dee15239f3f3e31aa5c8808f18996c039e2c1	Patch
https://git.kernel.org/stable/c/4a63523d3541eef4cf504a9682e6fbe94ffe79a6	Patch
https://git.kernel.org/stable/c/7022df2248c08c6f75a01714163ac902333bf3db	Patch
https://git.kernel.org/stable/c/b3d24038eb775f2f7a1dfef58d8e1dc444a12820	Patch
https://git.kernel.org/stable/c/dbce810607726408f889d3358f4780fd1436861e	Patch

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-38643 is associated with the following CWEs:

CWE-667: Improper Locking

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-38643 weaknesses.

CAPEC-25: Forced Deadlock Forced Deadlock CAPEC-26: Leveraging Race Conditions Leveraging Race Conditions CAPEC-27: Leveraging Race Conditions via Symbolic Links Leveraging Race Conditions via Symbolic Links

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-38643 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-38643 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

Initial Analysis by [email protected]

Dec. 01, 2025

Action	Type	New Value
Added	CVSS V3.1	AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE	CWE-667
Added	CPE Configuration	OR cpe:2.3:o:linux:linux_kernel:5.5:-::::::* cpe:2.3:o:linux:linux_kernel:5.5:rc7::::::* cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.16 up to (excluding) 6.16.1 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.13 up to (excluding) 6.15.10 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 4.14.170 up to (excluding) 4.15 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 4.19.102 up to (excluding) 4.20 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.4.18 up to (excluding) 5.5 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 5.5.1 up to (excluding) 6.6.118 cpe:2.3:o:linux:linux_kernel::::::::* versions from (including) 6.7 up to (excluding) 6.12.57
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/2c5dee15239f3f3e31aa5c8808f18996c039e2c1 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/4a63523d3541eef4cf504a9682e6fbe94ffe79a6 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/7022df2248c08c6f75a01714163ac902333bf3db Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/b3d24038eb775f2f7a1dfef58d8e1dc444a12820 Types: Patch
Added	Reference Type	kernel.org: https://git.kernel.org/stable/c/dbce810607726408f889d3358f4780fd1436861e Types: Patch

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Dec. 01, 2025

Action	Type	Old Value	New Value
Added	Reference		https://git.kernel.org/stable/c/b3d24038eb775f2f7a1dfef58d8e1dc444a12820

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Nov. 02, 2025

Action	Type	Old Value	New Value
Added	Reference		https://git.kernel.org/stable/c/4a63523d3541eef4cf504a9682e6fbe94ffe79a6

New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Aug. 22, 2025

Action	Type	New Value
Added	Description	In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Callers of wdev_chandef() must hold the wiphy mutex. But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes: WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
Added	Reference	https://git.kernel.org/stable/c/2c5dee15239f3f3e31aa5c8808f18996c039e2c1
Added	Reference	https://git.kernel.org/stable/c/7022df2248c08c6f75a01714163ac902333bf3db
Added	Reference	https://git.kernel.org/stable/c/dbce810607726408f889d3358f4780fd1436861e

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.

Browse by Apps

CVE-2025-38643

wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()

Description

INFO

Aug. 22, 2025, 4:15 p.m.

Dec. 1, 2025, 7:14 p.m.

No

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected Products

CVSS Scores

Solution

References to Advisories, Solutions, and Tools

CWE - Common Weakness Enumeration

Common Attack Pattern Enumeration and Classification (CAPEC)

Initial Analysis by [email protected]

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Vulnerability Scoring Details

Base CVSS Score: 5.5

CVEFeed.io UI Customizer

Layout

Vertical

Horizontal

Two Column

Color Scheme

Light

Dark

Layout Width

Fluid

Boxed

Layout Position

Topbar Color

Light

Dark

Sidebar Size

Default

Compact

Small (Icon View)

Small Hover View

Sidebar View

Default

Detached

Sidebar Color

Light

Dark

Gradient

Preloader

Enable

Disable