{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-10T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: rtw89: pci: configure manual DAC mode via PCI config API only",
    "id" : "2379221",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2379221"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: rtw89: pci: configure manual DAC mode via PCI config API only\nTo support 36-bit DMA, configure chip proprietary bit via PCI config API\nor chip DBI interface. However, the PCI device mmap isn't set yet and\nthe DBI is also inaccessible via mmap, so only if the bit can be accessible\nvia PCI config API, chip can support 36-bit DMA. Otherwise, fallback to\n32-bit DMA.\nWith NULL mmap address, kernel throws trace:\nBUG: unable to handle page fault for address: 0000000000001090\n#PF: supervisor write access in kernel mode\n#PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0002 [#1] PREEMPT SMP PTI\nCPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G           OE      6.14.2-061402-generic #202504101348\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nRIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci]\nRSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206\nRAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000\nRDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020\nRBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015\nR13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060\nFS:  0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0\nCall Trace:\n<TASK>\nrtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci]\nrtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci]\nrtw89_pci_probe+0xa96/0xbd0 [rtw89_pci]\n? __pfx___device_attach_driver+0x10/0x10\n? __pfx___device_attach_driver+0x10/0x10\nlocal_pci_probe+0x47/0xa0\npci_call_probe+0x5d/0x190\npci_device_probe+0xa7/0x160\nreally_probe+0xf9/0x370\n? pm_runtime_barrier+0x55/0xa0\n__driver_probe_device+0x8c/0x140\ndriver_probe_device+0x24/0xd0\n__device_attach_driver+0xcd/0x170\nbus_for_each_drv+0x99/0x100\n__device_attach+0xb4/0x1d0\ndevice_attach+0x10/0x20\npci_bus_add_device+0x59/0x90\npci_bus_add_devices+0x31/0x80\npciehp_configure_device+0xaa/0x170\npciehp_enable_slot+0xd6/0x240\npciehp_handle_presence_or_link_change+0xf1/0x180\npciehp_ist+0x162/0x1c0\nirq_thread_fn+0x24/0x70\nirq_thread+0xef/0x1c0\n? __pfx_irq_thread_fn+0x10/0x10\n? __pfx_irq_thread_dtor+0x10/0x10\n? __pfx_irq_thread+0x10/0x10\nkthread+0xfc/0x230\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x47/0x70\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n</TASK>" ],
  "statement" : "A kernel crash was fixed in the rtw89_pci driver where an attempt to access a NULL mmap address caused a page fault. The bug occurred during the early PCI initialization phase, where driver code incorrectly assumed that memory-mapped I/O had already been established. The fix ensures DAC configuration is performed exclusively via the PCI config API before mapping is valid. This issue can lead to a kernel panic, especially when the driver is autoloaded for specific Realtek wireless chipsets. This vulnerability leads to a kernel crash during driver initialization or hotplug scenarios, affecting only the system's availability. There is no evidence of data disclosure or modification, hence the impact on confidentiality and integrity is considered None.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38284\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38284\nhttps://lore.kernel.org/linux-cve-announce/2025071010-CVE-2025-38284-1574@gregkh/T" ],
  "name" : "CVE-2025-38284",
  "csaw" : false
}