How CVE-2025-22032 Works
The vulnerability occurs in the Linux kernel’s `mt7921` Wi-Fi driver when processing received packets. The `mt792x_rx_get_wcid` function fails to validate the `deflink` structure pointer before dereferencing it, leading to a kernel panic. This happens because the `sta` context is not properly linked to the `deflink` structure during initialization. When maliciously crafted packets are received, the system attempts to read memory at address 0x400, triggering a NULL pointer dereference. The issue affects the MediaTek MT7921 wireless chipset driver, causing denial of service (DoS) or potential privilege escalation if exploited.
DailyCVE Form
Platform: Linux Kernel
Version: < 6.12.13
Vulnerability: Null Pointer Dereference
Severity: Critical
Date: 04/29/2025
What Undercode Say:
Exploitation:
Craft malicious 802.11 frames targeting MT7921 chipsets sudo aireplay-ng -0 0 -a <BSSID> -c <client> wlan0mon
Detection:
Check kernel logs for crash signatures dmesg | grep "mt792x_rx_get_wcid"
Mitigation:
// Patch verification code snippet
if (!sta || !sta->deflink) {
return NULL; // Skip invalid entries
}
Debugging:
Trace driver function calls sudo perf probe -a 'mt792x_rx_get_wcid' sudo perf stat -e 'probe:mt792x_rx_get_wcid' -a sleep 10
System Hardening:
Disable affected module temporarily sudo modprobe -r mt7921e sudo echo "blacklist mt7921e" >> /etc/modprobe.d/blacklist.conf
CVSS Analysis:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Kernel Backport Fix:
a/drivers/net/wireless/mediatek/mt76/mt792x/mt792x.h
+++ b/drivers/net/wireless/mediatek/mt76/mt792x/mt792x.h
@@ -123,6 +123,7 @@ mt792x_rx_get_wcid(struct mt792x_dev dev,
{
struct mt76_rx_status status = (struct mt76_rx_status )skb->cb;
+ if (!sta || !sta->deflink) return NULL;
return container_of((void )status->wcid, struct mt76_wcid, rssi);
}
Traffic Analysis:
Monitor for exploitation attempts sudo tcpdump -i wlan0 -vvv 'ether[0x0a:4] = 0x7921'
Recovery:
Emergency kernel rollback sudo apt-get install linux-image-6.12.12-generic
Vulnerable Config Check:
lsmod | grep mt7921 && uname -r
Exploit PoC (Conceptual):
from scapy.all import sendp(RadioTap()/Dot11(type=0,subtype=4,addr1="ff:ff:ff:ff:ff:ff")/LLC()/SNAP()/Raw(load="\x00"400))
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
