LiveActive security incident?Get immediate response
CVE Record

CVE-2025-38643: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Callers of wdev_chandef() must hold the wiphy mutex. But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes: WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-38643 is a Linux kernel wireless bug where code accessed Wi-Fi channel state without the required lock. The public record shows a kernel warning in test conditions, not confirmed real-world compromise. Business urgency is mainly for products or fleets that rely on Linux Wi-Fi, mesh, or DFS functionality.

Executive priority

Treat this as a targeted kernel maintenance item, not an emergency, unless your business operates Linux-based wireless infrastructure at scale. Patch through normal vendor channels and prioritize internet-facing or operationally critical wireless devices.

Technical view

The issue is in cfg80211_check_and_end_cac() through cfg80211_propagate_cac_done_wk(), where callers of wdev_chandef() must hold the wiphy mutex. The source says the worker did not take that lock. It was reproduced with hostapd mesh_peer_connected_dfs testing and unreleased mac80211 changes.

Likely exposure

Exposure likely applies to Linux systems using the cfg80211 wireless stack, especially Wi-Fi AP, mesh, or DFS CAC workflows. The source bundle lists Linux as affected but includes mixed commit and version identifiers, so downstream distro exposure requires vendor kernel mapping.

Exploitation context

No active exploitation is cited. The source bundle marks KEV as false and provides no exploit reports. The described trigger is a warning observed in a hostapd mesh DFS test with unreleased mac80211 changes, which limits confidence about practical attackability.

Researcher notes

The evidence points to a locking correctness bug in cfg80211 worker context. Severity, CVSS, CWE, and exploitability details are absent from the supplied sources. The affected-version data is incomplete for direct fleet decisions without downstream kernel advisory correlation.

Mitigation direction

  • Update to a vendor kernel containing the referenced stable fixes.
  • Check Linux distribution advisories for backported cfg80211 fixes.
  • Prioritize wireless infrastructure, embedded gateways, and mesh-capable Linux devices.
  • Avoid inventing workarounds; follow vendor guidance for any runtime mitigations.
  • Test Wi-Fi, mesh, and DFS behavior after kernel updates.

Validation and detection

  • Inventory Linux kernel versions across wireless-capable assets.
  • Map installed kernels to distro advisories or referenced stable commits.
  • Confirm whether cfg80211/mac80211 wireless functionality is enabled.
  • Review kernel logs for related wdev_chandef or cfg80211 warnings.
  • Verify updated devices retain expected Wi-Fi and DFS operation.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-38643 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
7Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d, 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d, 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d, 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d, 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d, 26ec17a1dc5ecdd8d91aba63ead6f8b5ad5dea0d, 2dbb6faebb94d6d5ae87e5ea6be9280c366393e1, a4f85674e4693904ade7cbf6722d0d105d8062d8, e233cbaf8ecc5859f0417dd53899da4edb477991, 4.14.170, 4.19.102, 5.4.18unaffected
LinuxLinux5.5, 0, 6.1.164, 6.6.118, 6.12.57, 6.15.10, 6.16.1, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.