wifi: cfg80211: cancel wiphy_work before freeing wiphy

CVE	CVE-2025-21979
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2025-04-01 16:15:29 UTC
Updated	2026-04-06 13:39:11 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel wiphy_work before freeing wiphy A wiphy_work can be queued from the moment the wiphy is allocated and initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the rdev::wiphy_work is getting queued. If wiphy_free is called before the rdev::wiphy_work had a chance to run, the wiphy memory will be freed, and then when it eventally gets to run it'll use invalid memory. Fix this by canceling the work before freeing the wiphy.

Primary CVSS: v3.1 7.8 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem Types: CWE-416 | CWE-416 CWE-416 Use After Free

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	ADP	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected ddb1bfbf4ab5c753954d0cd728253b642934a9f2 8930a3e1568cf534f86c8ed2def817c6d0528fc1 git	Not specified
CNA	Linux	Linux	affected 3fcc6d7d5f40dad56dee7bde787b7e23edd4b93c 0272d4af7f92997541d8bbf4c51918b93ded6ee2 git	Not specified
CNA	Linux	Linux	affected a3ee4dc84c4e9d14cb34dad095fd678127aca5b6 75d262ad3c36d52852d764588fcd887f0fcd9138 git	Not specified
CNA	Linux	Linux	affected a3ee4dc84c4e9d14cb34dad095fd678127aca5b6 a5158d67bff06cb6fea31be39aeb319fd908ed8e git	Not specified
CNA	Linux	Linux	affected a3ee4dc84c4e9d14cb34dad095fd678127aca5b6 dea22de162058216a90f2706f0d0b36f0ff309fd git	Not specified
CNA	Linux	Linux	affected a3ee4dc84c4e9d14cb34dad095fd678127aca5b6 72d520476a2fab6f3489e8388ab524985d6c4b90 git	Not specified
CNA	Linux	Linux	affected 6.5	Not specified
CNA	Linux	Linux	unaffected 6.5 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.132 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.84 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.20 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.13.8 6.13.* semver	Not specified
CNA	Linux	Linux	unaffected 6.14 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/75d262ad3c36d52852d764588fcd887f0fcd9138	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/a5158d67bff06cb6fea31be39aeb319fd908ed8e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/dea22de162058216a90f2706f0d0b36f0ff309fd	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/8930a3e1568cf534f86c8ed2def817c6d0528fc1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/0272d4af7f92997541d8bbf4c51918b93ded6ee2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2025/05/msg00045.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Patch
git.kernel.org/stable/c/72d520476a2fab6f3489e8388ab524985d6c4b90	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.