CVE-2025-29338 Overview
CVE-2025-29338 is a buffer overflow vulnerability in the NXP moal.ko Wi-Fi driver version 5.1.7.10. The flaw exists in the woal_init_module_param function and is triggered through the mod_para parameter. Affected firmware versions range from v17.92.1.p149.43 to v17.92.1.p149.157. The issue is classified under CWE-120: Buffer Copy without Checking Size of Input. Exploitation requires local access with high privileges, limiting the attack surface to authenticated users on the affected system. Successful exploitation can cause kernel memory corruption, leading to system instability or potential code execution within the kernel context.
Critical Impact
A local attacker with high privileges can corrupt kernel memory via the mod_para parameter, causing denial of service or potential privilege escalation through the NXP Wi-Fi kernel driver.
Affected Products
- NXP moal.ko Wi-Fi driver version 5.1.7.10
- NXP Wi-Fi firmware versions v17.92.1.p149.43 through v17.92.1.p149.157
- Systems integrating the affected NXP Wi-Fi kernel module
Discovery Timeline
- 2026-05-13 - CVE-2025-29338 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-29338
Vulnerability Analysis
The vulnerability resides in the woal_init_module_param function within the NXP moal.ko kernel module. This function processes the mod_para parameter during driver initialization. The function copies input data into a fixed-size buffer without validating the input length against the destination buffer size. An attacker controlling the mod_para parameter can supply an oversized value, overflowing the buffer and corrupting adjacent kernel memory.
Because the vulnerable code path executes in kernel space, memory corruption affects the kernel address space directly. Impact includes denial of service through kernel panic and potential modification of kernel data structures. The CVSS vector indicates impact to confidentiality, integrity, and availability, with availability rated as the most severe consequence.
The attack requires local access and high privileges, which typically means the attacker must already possess administrative capabilities to load or configure the driver module. This precondition reduces real-world exploitability but does not eliminate risk in multi-tenant or compromised environments.
Root Cause
The root cause is missing bounds checking when copying the mod_para module parameter into a fixed-size kernel buffer during initialization. The driver trusts the caller-supplied length without sanitization, allowing writes beyond the allocated buffer boundary.
Attack Vector
An authenticated local attacker with sufficient privileges to load kernel modules or pass module parameters supplies a crafted mod_para value when initializing the moal.ko driver. The oversized parameter triggers the overflow inside woal_init_module_param, corrupting kernel memory and producing denial of service or undefined kernel behavior. Technical details and a proof-of-concept are available in the GitHub PoC Repository.
Detection Methods for CVE-2025-29338
Indicators of Compromise
- Kernel panic logs or oops messages referencing moal.ko or woal_init_module_param
- Unexpected reload events for the NXP Wi-Fi driver module in dmesg output
- Module parameter assignments to mod_para containing unusually long string values
Detection Strategies
- Audit modprobe and insmod invocations targeting moal.ko and capture passed parameters
- Inspect /var/log/kern.log and journalctl -k for stack traces involving the NXP Wi-Fi driver
- Verify the installed driver version against the vulnerable range v17.92.1.p149.43 to v17.92.1.p149.157
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform for correlation against driver crash patterns
- Alert on repeated kernel module load failures or sudden Wi-Fi subsystem restarts
- Monitor privileged shell sessions that interact with kernel module loading utilities
How to Mitigate CVE-2025-29338
Immediate Actions Required
- Identify all systems running the NXP moal.ko Wi-Fi driver version 5.1.7.10 with affected firmware
- Restrict the ability to load kernel modules and set module parameters to a minimal set of administrators
- Apply the firmware update referenced in the vendor release note as soon as it is available in your environment
Patch Information
NXP documents the fix in the NXP Release Note RN00104. Administrators should upgrade to a firmware version outside the vulnerable range v17.92.1.p149.43 to v17.92.1.p149.157 and update the associated moal.ko driver package shipped by their device vendor.
Workarounds
- Disable the NXP Wi-Fi interface where wireless connectivity is not required
- Remove or blacklist moal.ko from automatic loading until the patched version is deployed
- Enforce least-privilege controls so non-administrative accounts cannot influence module parameters
# Configuration example
# Blacklist the vulnerable module until patched firmware is applied
echo "blacklist moal" | sudo tee /etc/modprobe.d/blacklist-moal.conf
sudo update-initramfs -u
# Verify the currently loaded driver version
modinfo moal | grep -E "version|filename"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
