CVE-2025-38116
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's ath12k WiFi driver allows local attackers to potentially crash the kernel or execute arbitrary code. This affects systems using Qualcomm's ath12k WiFi hardware with vulnerable kernel versions. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Linux kernel with ath12k WiFi driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to denial of service, or potential privilege escalation to kernel-level code execution.
Likely Case
Kernel crash causing system instability or denial of service on affected WiFi hardware.
If Mitigated
Limited impact if proper access controls prevent local users from loading/unloading kernel modules.
🎯 Exploit Status
Requires local access and ability to trigger the failure path in ath12k_core_init() followed by subsequent access to freed memory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 65e1b3404c211dcfaea02698539cdcd26647130f and f3fe49dbddd73f0155a8935af47cb63693069dbe
Vendor Advisory: https://git.kernel.org/stable/c/65e1b3404c211dcfaea02698539cdcd26647130f
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load patched kernel. 3. Verify ath12k module loads without errors.
🔧 Temporary Workarounds
Disable ath12k module
linuxPrevent loading of vulnerable ath12k WiFi driver
echo 'blacklist ath12k' >> /etc/modprobe.d/blacklist-ath12k.conf
rmmod ath12k
Restrict module loading
linuxPrevent unauthorized users from loading/unloading kernel modules
sysctl -w kernel.modules_disabled=1
🧯 If You Can't Patch
- Restrict local user access to systems with vulnerable ath12k hardware
- Implement strict access controls to prevent unauthorized users from loading/unloading kernel modules
🔍 How to Verify
Check if Vulnerable:
Check if ath12k module is loaded: lsmod | grep ath12k. Check kernel version: uname -r and verify against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits. Test ath12k module loading/unloading: modprobe -r ath12k && modprobe ath12k.📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages
- ath12k module load/unload failures
- System crashes when using ath12k WiFi
Network Indicators:
- Unusual local privilege escalation attempts
- Failed WiFi hardware initialization
SIEM Query:
source="kernel" AND ("ath12k" OR "UAF" OR "use-after-free")