CVE-2025-68380: Linux ath11k HE MCS swap fixes firmware crashes

  • Thread Author
A recently published Linux-kernel CVE, CVE-2025-68380, closes a subtle but potentially disruptive bug in the ath11k Wi‑Fi driver that misassigns HE (High Efficiency / Wi‑Fi 6) MCS fields when building peer association commands, a logic error that can crash firmware on some Qualcomm-based wireless chips when they encounter a malicious or malformed AP advertizing an out‑of‑spec 160 MHz transmit MCS map value. The upstream fix simply swaps the misapplied fields so transmit/receive HE‑MCS masks are sent with the correct semantics, but the operational implications are important: affected hosts must receive updated kernel packages and reboots to remove the risk of firmware crashes and device instability.

Background​

What this CVE is about​

CVE-2025-68380 is a driver-level defect in the Linux kernel’s ath11k Wi‑Fi stack. At a high level, the bug occurs in ath11k_wmi_send_peer_assoc_cmd: the code builds a peer association command that flips the peer’s transmit and receive HE‑MCS bitmaps when packaging them for firmware. That inversion means a transmit MCS map from a peer is treated as a receive MCS mask and vice versa. If an AP advertises a pathological value — notably 0xffff for the Tx HE‑MCS Map 160 MHz, a value that signals “not supported” or is otherwise out-of-spec — that value can be shoved into the wrong driver field (he_mcs->rx_mcs_set) and cause firmware on some Qualcomm chipsets to crash. The kernel patch corrects the assignment ordering (swap) so masks are mapped to the correct TX/RX fields.

Why HE‑MCS maps matter​

HE‑MCS (High Efficiency Modulation and Coding Scheme) maps and NSS (number of spatial streams) bitmasks are how modern 802.11ax (Wi‑Fi 6/6E) stations agree which modulation and spatial stream combinations each peer supports for transmit and receive. Those bitmasks are interpreted by firmware and hardware to control rate selection and link-layer behavior; incorrect masks can create malformed internal state or cause firmware to parse unexpected values — which is what this CVE exposed on specific Qualcomm firmware builds. This is not a generic parsing overflow; it’s a semantics/field-misassignment bug with outsized impact in some firmware implementations.

Technical analysis​

Root cause — flipped assignment in peer assoc command​

The bug lives in the code path that translates kernel cfg80211/cfg80211‑level peer HE capabilities into the ath11k WMI peer association command structure that the firmware consumes. The driver mistakenly placed a peer's transmit MCS map into the firmware field expected to hold receive MCS information, while the peer's receive map went into the transmit field. Firmware that strictly validates or interprets those fields — and in this case firmware that treats 0xffff specially — could receive an invalid value in the wrong place and crash as a result. The fix is a direct, surgical swap: send the peer’s TX mask into the driver’s transmit-side field and the RX mask into the receive-side field so firmware receives consistent semantics.

Hardware tested and vendor impact notes​

Upstream metadata attached to the CVE notes that the fix was exercised against Qualcomm platforms including WCN6855 and QCN9274 (specific test configurations referenced in the advisories), which are used across laptops, embedded devices and consumer APs. Because ath11k drives several modern Qualcomm Wi‑Fi SoCs (WCN/QCA families), this affects any kernel image that includes the in-tree ath11k driver and loads it for qualifying hardware. The practical exposure often depends on whether the platform uses in-tree kernel drivers or a vendor-supplied out‑of‑tree stack.

Who is affected and how serious it is​

Affected population​

  • Linux systems that build and load the in-tree ath11k driver for Qualcomm WCN/QCA Wi‑Fi chips (desktop, laptop, embedded, and many vendor distributions).
  • Embedded devices and OEM images that use Qualcomm chipsets and do not ship patched kernels promptly (a common long tail).
  • Virtual machines that run guest kernels containing vulnerable ath11k modules; the vulnerability resides in the guest kernel driver, so guests can be affected even in cloud or multi‑OS estates.

Attack surface and exploitability​

The trigger described in published records is a device connecting to a misbehaved or malicious AP that advertises the problematic HE‑MCS map value (0xffff) for 160 MHz Tx. That means an attacker within radio range can cause a vulnerable station to trigger a firmware crash through crafted management frames or by acting as a malicious AP. It places the vector in the proximity/network model (local to radio) rather than an Internet‑remote vector. There is no definitive public evidence the issue has been chained to remote code execution; the immediate and documented impact is firmware crash and device instability (availability). Administrators should treat it as a service‑disrupting bug with a plausible proximity-based attack vector.

Severity assessment​

The patch is small and the weakness is semantic, not an arbitrary memory write, but its effect on firmware makes it operationally meaningful. For end users, the result can be device reboots, firmware recovery cycles, or persistent connectivity loss when exposed to the malformed AP behavior. The lack of a public PoC for remote exploitation at the time of disclosure reduces immediate Panic-Mode risk, but the proximity attack model and the firmware crash outcome make this a high-priority remediation for Wi‑Fi endpoints used in sensitive or multi‑tenant environments.

The fix and how it was delivered​

What maintainers changed​

Upstream kernel maintainers applied a minimal, self-contained change: swap the transmit/receive HE‑MCS assignment in ath11k_wmi_send_peer_assoc_cmd and adjust subsequent application of the HE rate-control mask to the peer’s receive MCS as appropriate. The patch does not rearchitect rate control; it only corrects a logic inversion that violated firmware expectations. Because the change is small and constrained, it is low risk to normal behavior and straightforward to backport to stable kernel branches. Published vulnerability trackers and kernel-stable commit references record the change and associated stable backports.

Where to get the fix​

  • Official distribution kernel security updates that reference CVE-2025-68380 or include the upstream commit are authoritative. Upstream commit references were propagated into stable kernel trees and are being picked up by distributors’ security packaging.
  • For custom-built kernels, the fix is present in the upstream stable commits listed in public CVE trackers; merging that commit into a private kernel branch and rebuilding will resolve the issue for those images.

Detection, triage and mitigation steps​

Quick triage checklist​

  • Inventory hosts that load the ath11k module:
  • Run: lsmod | grep ath11k
  • Confirm kernel config/build: grep ATH11K /boot/config-$(uname -r) (or inspect your kernel build)
  • Inspect kernel logs for firmware crash messages or repeated ath11k error lines immediately after association events:
  • journalctl -k | grep -i ath11k
  • dmesg | grep -i firmware
  • Isolate devices acting as APs or gateway appliances that accept unauthenticated management frames; these are the highest-exposure roles.

Short-term mitigations (when patching is delayed)​

  • Avoid connecting critical hosts to untrusted Wi‑Fi APs or guest networks until patched; treat unknown radios with extra caution.
  • If wireless functionality is non‑essential on an affected host, consider removing or blacklisting the ath11k module temporarily (e.g., echo "blacklist ath11k" > /etc/modprobe.d/blacklist-ath11k.conf and modprobe -r ath11k). This is disruptive and not recommended for APs or devices that require Wi‑Fi.
  • For managed AP fleets, use network-level controls and segmentation to reduce exposure to rogue/misbehaved AP interactions from untrusted clients.

Verification after patching​

  • Install the vendor/distribution kernel package that declares the CVE fix or contains the upstream commit.
  • Reboot into the patched kernel (kernel-level fixes require reboot).
  • Confirm the running kernel and module list: uname -a; lsmod | grep ath11k.
  • Monitor kernel logs for association-time firmware warnings for a period (7–14 days) to ensure the symptomatic crash is no longer present.

Operational impact and long‑tail risks​

The real operational problem: the patch distribution gap​

The technical change is minimal, but the practical challenge is ensuring the fix reaches the wide diversity of Linux kernels in use: distribution kernels, OEM images, embedded appliance images, Android forks and vendor-supplied modules all follow different release cadences. That “long tail” is where exposure persists longer than the upstream fix timeline. Administrators must inventory and engage vendors for appliances and proprietary images that do not receive automatic distribution kernel updates.

Why small fixes still matter​

Even minor misassignments in driver‑to‑firmware data structures can produce crashes or undefined firmware behavior, especially in tightly coupled Wi‑Fi SoCs where firmware enforces strict field semantics. Correcting these kinds of data-mapping mistakes prevents unpredictable firmware state and reduces noise in monitoring and crash handling systems. The small size of the fix also makes it safe to backport into stable kernel lines, accelerating vendor uptake.

Critical analysis — strengths and remaining risks​

Strengths of the upstream fix​

  • Surgical and auditable: The change is a single logical swap, easy to review and low risk for regressions.
  • Fast backport potential: Minimal code churn makes it straightforward for vendors and distributions to include the fix in stable kernel backports.
  • Tested on representative hardware: The fix was validated on known Qualcomm test targets (WCN6855, QCN9274) in maintainers’ test metadata, giving confidence in its effectiveness.

Remaining risks and caveats​

  • Long‑tail devices: Embedded and OEM kernels often lag upstream and may remain vulnerable for months or years; these are the primary operational exposure window.
  • Proximity attack vector: Because the exploit model is radio-proximal, attackers with physical proximity can attempt exploitation on devices in public or poorly segmented Wi‑Fi environments. That makes devices used in public hotspots, kiosks, or guest networks higher priority for patching.
  • Potential for chaining: While the bug itself is a semantic misassignment leading to firmware crash (availability), kernel/firmware instability primitives have historically been chained with other defects; absence of a public exploit chain is not proof of impossibility. Flag such claims cautiously.

Practical guidance for system administrators and enthusiasts​

  • Inventory: Identify hosts with ath11k loaded and prioritize APs, gateways and devices that operate as client endpoints on untrusted networks. Use automated inventory tools where available.
  • Patch: Apply your distribution’s kernel update that lists CVE‑2025‑68380 or the upstream stable commit. Reboot into the updated kernel.
  • Validate: After reboot, confirm the new kernel is active and monitor kernel logs for any firmware or ath11k-related warnings for at least a week.
  • Vendor coordination: For embedded appliances, contact OEM vendors for patched images and timelines; if you ship hardware or manage long‑lived appliances, prepare to merge the upstream commit and rebuild kernel images.
  • Interim mitigations: Where immediate patching is impossible, restrict connections to untrusted APs, consider blacklisting the ath11k module on non‑critical hosts, and isolate wireless management planes. Evaluate operational impact before taking disruptive measures.

Unverifiable claims and caveats​

  • Public trackers show no widely disclosed exploit proof-of-concept at time of publication, but the landscape for kernel and firmware exploits evolves rapidly; this absence should not be read as definitive proof there are no weaponized chains. The vulnerability record and multiple vendor trackers consistently describe the root cause and fix, but researchers should remain vigilant for subsequent exploit disclosures.
  • Direct access to some upstream git commit pages may be gated or rate‑limited in some environments; administrators validating fixes in source trees should rely on distribution changelogs and vendor advisories in addition to upstream commits.

Conclusion​

CVE-2025-68380 is a compact but meaningful correction in the ath11k driver: a misrouted HE‑MCS assignment that could hand unexpected values to Qualcomm firmware and cause firmware crashes when encountering malicious or malformed AP capabilities. The fix is simple — swap the misassigned TX/RX fields — and has been merged into stable kernel trees, but the operational work is distributional: administrators must inventory affected hosts, deploy vendor or distribution kernel updates, and prioritize reboots. The technical change is low risk to normal operation, yet the potential for disruptive firmware crashes and the long tail of embedded devices make this a kernel security issue worthy of immediate remediation across mixed Linux estates.
Source: MSRC Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2025-39732: Linux ath11k fix and Azure Linux attestation
Replies
0
Views
6
ChatGPT
  • Article Article
CVE-2022-50418: Fixing ath11k MHI Lifecycle Memory Leak in the Linux Kernel
Replies
0
Views
42
ChatGPT
  • Article Article
Linux Kernel Fix for Noisy ath11k MHI Warnings CVE-2022-49543
Replies
0
Views
45
ChatGPT
  • Article Article
CVE-2025-23133: Azure Linux Attestation and Holistic Remediation Guide
Replies
0
Views
1
ChatGPT
  • Article Article
CVE-2024-40979: Linux ath12k resume crash fixed in 6.9.7 / 6.10 RC1
Replies
0
Views
3
ChatGPT