{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks",
    "id" : "2424900",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2424900"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks\nMT7996 driver can use both wed and wed_hif2 devices to offload traffic\nfrom/to the wireless NIC. In the current codebase we assume to always\nuse the primary wed device in wed callbacks resulting in the following\ncrash if the hw runs wed_hif2 (e.g. 6GHz link).\n[  297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a\n[  297.464928] Mem abort info:\n[  297.467722]   ESR = 0x0000000096000005\n[  297.471461]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  297.476766]   SET = 0, FnV = 0\n[  297.479809]   EA = 0, S1PTW = 0\n[  297.482940]   FSC = 0x05: level 1 translation fault\n[  297.487809] Data abort info:\n[  297.490679]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[  297.496156]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[  297.501196]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[  297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000\n[  297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000\n[  297.523532] Internal error: Oops: 0000000096000005 [#1] SMP\n[  297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G           O       6.12.50 #0\n[  297.723908] Tainted: [O]=OOT_MODULE\n[  297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)\n[  297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]\n[  297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[  297.752688] lr : mtk_wed_flow_remove+0x58/0x80\n[  297.757126] sp : ffffffc080fe3ae0\n[  297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7\n[  297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00\n[  297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018\n[  297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000\n[  297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000\n[  297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da\n[  297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200\n[  297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002\n[  297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000\n[  297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8\n[  297.831686] Call trace:\n[  297.834123]  mt76_wed_offload_disable+0x64/0xa0 [mt76]\n[  297.839254]  mtk_wed_flow_remove+0x58/0x80\n[  297.843342]  mtk_flow_offload_cmd+0x434/0x574\n[  297.847689]  mtk_wed_setup_tc_block_cb+0x30/0x40\n[  297.852295]  nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]\n[  297.858466]  nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]\n[  297.864463]  process_one_work+0x174/0x300\n[  297.868465]  worker_thread+0x278/0x430\n[  297.872204]  kthread+0xd8/0xdc\n[  297.875251]  ret_from_fork+0x10/0x20\n[  297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)\n[  297.884901] ---[ end trace 0000000000000000 ]---\nFix the issue detecting the proper wed reference to use running wed\ncallabacks." ],
  "statement" : "This bug is a NULL-pointer dereference caused by using the wrong WED device reference in mt76 callbacks when the hardware runs with wed_hif2, leading to an invalid container_of() result and a kernel crash. In practice it is primarily a stability/availability issue (kernel oops/DoS) tied to a specific driver/offload configuration rather than a security-critical memory corruption primitive.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-68360\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68360\nhttps://lore.kernel.org/linux-cve-announce/2025122457-CVE-2025-68360-63e6@gregkh/T" ],
  "name" : "CVE-2025-68360",
  "csaw" : false
}