CVE-2025-39864: wifi: cfg80211: fix use-after-free in cmp_bss()
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: fix use-after-free in cmp_bss()
Following bss_free() quirk introduced in commit 776b3580178f
("cfg80211: track hidden SSID networks properly"), adjust
cfg80211_update_known_bss() to free the last beacon frame
elements only if they're not shared via the corresponding
'hidden_beacon_bss' pointer.
Security readout for executives and security teams
Plain-English summary
CVE-2025-39864 is a Linux kernel Wi-Fi vulnerability caused by a use-after-free in cfg80211 BSS handling. The public record provides no CVSS score and no confirmed active exploitation. Business urgency depends on whether affected systems use Linux Wi-Fi functionality, especially laptops, embedded devices, appliances, or industrial systems.
Executive priority
Set priority after inventory. This is not currently supported as emergency internet-wide exploitation, but Wi-Fi-capable Linux endpoints and appliances should enter normal kernel patch cycles promptly.
Technical view
The issue is in cfg80211 cmp_bss()/cfg80211_update_known_bss() handling of beacon frame elements after a hidden SSID tracking change. The fix avoids freeing last beacon elements when they are shared through hidden_beacon_bss. Linux stable commits and Debian LTS advisories are cited as remediation references.
Likely exposure
Exposure is most plausible on Linux systems with wireless networking enabled and affected kernel versions. Pure server workloads without Wi-Fi hardware or cfg80211 usage are less likely exposed, but embedded and appliance fleets should verify kernel lineage.
Exploitation context
The source bundle does not show KEV listing, exploit publication, active exploitation, attacker prerequisites, or practical impact details. Treat exploitability as unconfirmed from the provided evidence, not as disproven.
Researcher notes
Evidence is limited to the CVE record, Linux stable commits, and Debian LTS references. No CVSS, CWE, root-cause impact beyond use-after-free, exploit status, or attacker model is provided in the bundle.
Mitigation direction
Identify Linux kernel versions across Wi-Fi-capable systems and appliances.
Prioritize vendor kernel updates that include the referenced stable fixes.
Review Debian LTS advisories if running Debian-based affected systems.
Check OEM or device vendor guidance for embedded and appliance firmware.
Disable unused wireless functionality where operationally feasible until patched.
Validation and detection
Confirm whether systems load cfg80211 or use Wi-Fi functionality.
Map running kernels against vendor advisories and fixed stable commits.
Verify updated packages or firmware include the CVE-2025-39864 fix.
Track Debian and device-vendor advisories for affected fleet subsets.
Document systems without Wi-Fi exposure separately from unpatched wireless systems.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-39864 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
3ADP providers
13Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Sep 19, 2025, 15:26 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.