LiveActive security incident?Get immediate response
CVE Record

CVE-2025-39864: wifi: cfg80211: fix use-after-free in cmp_bss()

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-39864 is a Linux kernel Wi-Fi vulnerability caused by a use-after-free in cfg80211 BSS handling. The public record provides no CVSS score and no confirmed active exploitation. Business urgency depends on whether affected systems use Linux Wi-Fi functionality, especially laptops, embedded devices, appliances, or industrial systems.

Executive priority

Set priority after inventory. This is not currently supported as emergency internet-wide exploitation, but Wi-Fi-capable Linux endpoints and appliances should enter normal kernel patch cycles promptly.

Technical view

The issue is in cfg80211 cmp_bss()/cfg80211_update_known_bss() handling of beacon frame elements after a hidden SSID tracking change. The fix avoids freeing last beacon elements when they are shared through hidden_beacon_bss. Linux stable commits and Debian LTS advisories are cited as remediation references.

Likely exposure

Exposure is most plausible on Linux systems with wireless networking enabled and affected kernel versions. Pure server workloads without Wi-Fi hardware or cfg80211 usage are less likely exposed, but embedded and appliance fleets should verify kernel lineage.

Exploitation context

The source bundle does not show KEV listing, exploit publication, active exploitation, attacker prerequisites, or practical impact details. Treat exploitability as unconfirmed from the provided evidence, not as disproven.

Researcher notes

Evidence is limited to the CVE record, Linux stable commits, and Debian LTS references. No CVSS, CWE, root-cause impact beyond use-after-free, exploit status, or attacker model is provided in the bundle.

Mitigation direction

  • Identify Linux kernel versions across Wi-Fi-capable systems and appliances.
  • Prioritize vendor kernel updates that include the referenced stable fixes.
  • Review Debian LTS advisories if running Debian-based affected systems.
  • Check OEM or device vendor guidance for embedded and appliance firmware.
  • Disable unused wireless functionality where operationally feasible until patched.

Validation and detection

  • Confirm whether systems load cfg80211 or use Wi-Fi functionality.
  • Map running kernels against vendor advisories and fixed stable commits.
  • Verify updated packages or firmware include the CVE-2025-39864 fix.
  • Track Debian and device-vendor advisories for affected fleet subsets.
  • Document systems without Wi-Fi exposure separately from unpatched wireless systems.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-39864 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
13Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
siemens-SADPADP container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6, 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6, 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6, 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6, 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6, 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6, 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6, 3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6unaffected
LinuxLinux5.4, 0, 5.4.299, 5.10.243, 5.15.192, 6.1.151, 6.6.105, 6.12.46, 6.16.6, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.