{"uuid": "9737d7c6-c163-4544-9ee3-94d0234e343f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-23133", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/14801", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-23133\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: update channel list in reg notifier instead reg worker\n\nCurrently when ath11k gets a new channel list, it will be processed\naccording to the following steps:\n1. update new channel list to cfg80211 and queue reg_work.\n2. cfg80211 handles new channel list during reg_work.\n3. update cfg80211's handled channel list to firmware by\nath11k_reg_update_chan_list().\n\nBut ath11k will immediately execute step 3 after reg_work is just\nqueued. Since step 2 is asynchronous, cfg80211 may not have completed\nhandling the new channel list, which may leading to an out-of-bounds\nwrite error:\nBUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list\nCall Trace:\n    ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]\n    kfree+0x109/0x3a0\n    ath11k_regd_update+0x1cf/0x350 [ath11k]\n    ath11k_regd_update_work+0x14/0x20 [ath11k]\n    process_one_work+0xe35/0x14c0\n\nShould ensure step 2 is completely done before executing step 3. Thus\nWen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,\ncfg80211 will notify ath11k after step 2 is done.\n\nSo enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will\nnotify ath11k after step 2 is done. At this time, there will be no\nKASAN bug during the execution of the step 3.\n\n[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3\n\ud83d\udccf Published: 2025-04-16T14:13:14.485Z\n\ud83d\udccf Modified: 2025-05-04T13:07:06.636Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/f952fb83c9c6f908d27500764c4aee1df04b9d3f\n2. https://git.kernel.org/stable/c/933ab187e679e6fbdeea1835ae39efcc59c022d2", "creation_timestamp": "2025-05-04T13:18:44.000000Z"}