CVE-2025-23129: wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path
If a shared IRQ is used by the driver due to platform limitation, then the
IRQ affinity hint is set right after the allocation of IRQ vectors in
ath11k_pci_alloc_msi(). This does no harm unless one of the functions
requesting the IRQ fails and attempt to free the IRQ. This results in the
below warning:
WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c
Call trace:
free_irq+0x278/0x29c
ath11k_pcic_free_irq+0x70/0x10c [ath11k]
ath11k_pci_probe+0x800/0x820 [ath11k_pci]
local_pci_probe+0x40/0xbc
The warning is due to not clearing the affinity hint before freeing the
IRQs.
So to fix this issue, clear the IRQ affinity hint before calling
ath11k_pcic_free_irq() in the error path. The affinity will be cleared once
again further down the error path due to code organization, but that does
no harm.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel Wi-Fi driver bug in ath11k. On systems using shared IRQs, a driver setup failure can leave an IRQ affinity hint uncleared before IRQ cleanup, triggering a kernel warning. The source does not describe data theft, remote code execution, or active exploitation.
Executive priority
Treat this as a targeted Linux kernel maintenance item, not an emergency, unless your fleet includes affected Wi-Fi hardware in sensitive endpoints. Patch through normal kernel update processes once vendor packages are available.
Technical view
The ath11k PCI error path called ath11k_pcic_free_irq() without first clearing the IRQ affinity hint. The resolved change clears the affinity hint before freeing IRQs. The issue is tied to shared IRQ use and was tested on QCA6390 hardware.
Likely exposure
Exposure appears limited to Linux systems using the ath11k PCI Wi-Fi driver on affected kernel versions and platforms where shared IRQs are used. Servers without this driver or hardware are unlikely to be exposed.
Exploitation context
The bundle reports KEV as false and provides no evidence of public exploitation. The described behavior is a kernel warning during a driver error path, not a documented attacker-controlled exploit path.
Researcher notes
Evidence is sparse: no CVSS, CWE, or concrete security impact is provided. The root cause is cleanup-order correctness in an ath11k PCI error path involving IRQ affinity hints and shared IRQs. Avoid extrapolating beyond kernel warning and stability implications.
Mitigation direction
Check vendor kernel advisories for fixed packages covering CVE-2025-23129.
Prioritize systems using ath11k PCI Wi-Fi hardware or Qualcomm QCA6390-class devices.
Update to a kernel containing one of the referenced stable fixes.
If no vendor package exists, follow vendor guidance for temporary risk handling.
Validation and detection
Inventory Linux hosts for ath11k or ath11k_pci driver usage.
Compare running kernel versions against vendor CVE-2025-23129 advisories.
Review kernel logs for warnings involving free_irq and ath11k_pcic_free_irq.
Confirm patched systems include the affinity hint cleanup fix.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-23129 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Apr 16, 2025, 14:13 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.