CVE-2025-22119 [Medium] | Security Vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: init wiphy_work before allocating rfkill fails syzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1] After rfkill allocation fails, the wiphy release process will be performed, which will cause cfg80211_dev_free to access the uninitialized wiphy_work related data. Move the initialization of wiphy_work to before rfkill initialization to avoid this issue. [1] INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 UID: 0 PID: 5935 Comm: syz-executor550 Not tainted 6.14.0-rc6-syzkaller-00103-g4003c9e78778 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 assign_lock_key kernel/locking/lockdep.c:983 [inline] register_lock_class+0xc39/0x1240 kernel/locking/lockdep.c:1297 __lock_acquire+0x135/0x3c40 kernel/locking/lockdep.c:5103 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5851 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 cfg80211_dev_free+0x30/0x3d0 net/wireless/core.c:1196 device_release+0xa1/0x240 drivers/base/core.c:2568 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e4/0x5a0 lib/kobject.c:737 put_device+0x1f/0x30 drivers/base/core.c:3774 wiphy_free net/wireless/core.c:1224 [inline] wiphy_new_nm+0x1c1f/0x2160 net/wireless/core.c:562 ieee80211_alloc_hw_nm+0x1b7a/0x2260 net/mac80211/main.c:835 mac80211_hwsim_new_radio+0x1d6/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5185 hwsim_new_radio_nl+0xb42/0x12b0 drivers/net/wireless/virtual/mac80211_hwsim.c:6242 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2533 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1882 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:733 [inline] ____sys_sendmsg+0xaaf/0xc90 net/socket.c:2573 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2627 __sys_sendmsg+0x16e/0x220 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 Close: https://syzkaller.appspot.com/bug?extid=aaf0488c83d1d5f4f029

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-25	0.10%	0.04%	-0.06%
2	2026-02-10	0.03%	0.10%	+0.07%
3	2025-09-12	—	0.03%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-25

0.10%

0.04%

-0.06%

2026-02-10

0.03%

0.10%

+0.07%

2025-09-12

—

0.03%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

3.6

[email protected]

OS Trackers for CVE-2025-22119

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-22119 unimportant priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2025-22119
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-22119
`suse`	high	—	https://www.suse.com/security/cve/CVE-2025-22119/
`ubuntu`	medium	CVE-2025-22119 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, ignored 161, not-affected 143, released 100, needs-triage 2.	https://ubuntu.com/security/CVE-2025-22119

Affected software / configurations for CVE-2025-22119

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 6.1.132, < 6.1.142	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.6.84, < 6.6.95	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.12.20, < 6.12.35	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13.8, < 6.14	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.14	cpe:2.3:o:linux:linux_kernel:6.14:-::::::
linux	linux_kernel	6.14	cpe:2.3:o:linux:linux_kernel:6.14:rc7::::::
linux	linux_kernel	6.14.1	cpe:2.3:o:linux:linux_kernel:6.14.1:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References for CVE-2025-22119

URL	Tags
https://git.kernel.org/stable/c/2617f60c3613ef105b8db2d514d2cac2a1836f7d	Patch
https://git.kernel.org/stable/c/60606efbf52582c0ab93e99789fddced6b47297a	Patch
https://git.kernel.org/stable/c/7e6040853f5b5f067a18c52286e676bc298fe6a2	Patch
https://git.kernel.org/stable/c/b679fe84cd5cc6f3481b7131fd28676191ad2615	Patch
https://git.kernel.org/stable/c/eeacfbab984200dcdcd68fcf4c6e91e2c6b38792	Patch
https://git.kernel.org/stable/c/fc88dee89d7b63eeb17699393eb659aadf9d9b7c	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	Mailing List Third Party Advisory

URL

CVE-2025-22119 | wifi: cfg80211: init wiphy_work before allocating rfkill fails

Exploit prediction scoring system (EPSS) score for CVE-2025-22119

Common vulnerability scoring system (CVSS) metrics for CVE-2025-22119

Weakness enumeration for CVE-2025-22119

OS Trackers for CVE-2025-22119

Affected software / configurations for CVE-2025-22119

References for CVE-2025-22119