CVE-2025-71222 Overview
CVE-2025-71222 is a kernel vulnerability in the Linux wlcore WiFi driver. The flaw resides in the wl1271_tx_work transmit path, where skb_push is invoked without first verifying that the socket buffer has sufficient headroom. When the available headroom is less than the required amount (typically 110 - 94 = 16 bytes), the kernel triggers an skb_under_panic Oops, crashing the system.
The vulnerability affects multiple Linux kernel versions, including 6.19-rc1 through 6.19-rc3. The Linux kernel maintainers resolved the issue by ensuring adequate skb headroom before invoking skb_push.
Critical Impact
A local attacker with low privileges can trigger a kernel panic on systems using the wl1271 WiFi hardware, resulting in denial of service through host availability loss.
Affected Products
- Linux Kernel (multiple stable branches prior to fix)
- Linux Kernel 6.19-rc1
- Linux Kernel 6.19-rc2 and 6.19-rc3
Discovery Timeline
- 2026-02-14 - CVE-2025-71222 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-71222
Vulnerability Analysis
The vulnerability exists in the wlcore driver, which supports TI WiLink (wl12xx/wl18xx) WiFi chipsets. The wl1271_tx_work function processes outbound packets and calls skb_push to prepend driver headers onto the socket buffer (skb). The skb_push operation requires the buffer to contain sufficient headroom for the requested bytes. When the headroom is insufficient, the kernel detects the underflow and triggers skb_under_panic, resulting in a kernel Oops.
The failure was observed occasionally during transmit workload processing. In the reported case, the driver required 110 bytes of headroom but only 94 bytes were present, leaving the path 16 bytes short. The fix introduces a headroom check and expands the buffer using pskb_expand_head (or equivalent) before performing the push.
Root Cause
The root cause is missing input validation on skb headroom prior to executing skb_push in the WiFi transmit work handler. The driver assumed the upstream networking stack would always supply an skb with adequate headroom, but specific code paths could deliver buffers below the required threshold. This represents a boundary condition error in kernel network buffer handling.
Attack Vector
Exploitation requires local access with low privileges on a system using wlcore-supported hardware. An attacker who can influence transmit traffic patterns, network configuration, or buffer allocation paths can trigger the under-panic condition. The result is a kernel crash that disrupts service availability. The vulnerability does not provide a path to confidentiality or integrity compromise.
No public proof-of-concept exploit is available, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-71222
Indicators of Compromise
- Kernel log entries containing skb_under_panic originating from wl1271_tx_work or the wlcore module.
- Unexpected kernel Oops or panic events on systems using TI WiLink WiFi adapters.
- Repeated WiFi interface resets or driver reinitialization events in dmesg.
Detection Strategies
- Monitor /var/log/kern.log and dmesg output for skb_under_panic stack traces referencing wlcore symbols.
- Inventory Linux endpoints running kernels matching the affected ranges and confirm whether the wlcore, wl12xx, or wl18xx modules are loaded.
- Use eBPF tracing to capture skb_push calls within the wlcore driver and flag invocations against buffers with insufficient headroom.
Monitoring Recommendations
- Forward kernel crash telemetry and kdump artifacts to a centralized logging or SIEM platform for correlation.
- Track kernel version inventory across Linux fleets to identify systems running vulnerable builds.
- Alert on repeated WiFi driver failures that may indicate triggered conditions on affected hardware.
How to Mitigate CVE-2025-71222
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the vendor advisories as soon as they are available in your distribution.
- Identify systems using TI WiLink WiFi hardware and prioritize patching those endpoints.
- Restrict local user access on shared or multi-user Linux hosts that load the wlcore driver.
Patch Information
The Linux kernel community resolved the issue across multiple stable branches. Reference the upstream commits at the Kernel Git Commit: Security Fix, Kernel Git Commit: Bug Fix, Kernel Git Commit: Performance Update, Kernel Git Commit: Security Patch, Kernel Git Commit: Feature Enhancement, Kernel Git Commit: Bug Resolution, and Kernel Git Commit: Maintenance Update. Update to a kernel build that includes these commits and reboot affected systems.
Workarounds
- Unload the wlcore, wl12xx, and wl18xx kernel modules where WiFi functionality is not required.
- Blacklist the affected modules using /etc/modprobe.d/ configuration on systems that do not need TI WiLink support.
- Disable WiFi interfaces on servers and fixed-function appliances that should not transmit wireless traffic.
# Blacklist the vulnerable WiFi driver until patches are applied
echo "blacklist wlcore" | sudo tee /etc/modprobe.d/blacklist-wlcore.conf
echo "blacklist wl12xx" | sudo tee -a /etc/modprobe.d/blacklist-wlcore.conf
echo "blacklist wl18xx" | sudo tee -a /etc/modprobe.d/blacklist-wlcore.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

