CVE-2023-54052

Vulnerability

Description

In the Linux kernel's mt7921 WiFi driver (part of the mt76 family), a memory leak occurs when transmit status (txs) notifications are dropped for frames that are aggregated in an A-MSDU (Aggregate MAC Service Data Unit. The root cause is that the driver expects a txs callback for each transmitted frame, but when frames are aggregated, the hardware may not generate a separate txs for each sub-frame. This leads to the socket buffer (Socket Buffer) being held indefinitely, as the driver never releases them.

Exploitation and

Attack Surface

An attacker does not need special privileges to trigger this condition; any user or process that sends network traffic over a mt7921-based WiFi interface can cause the leak. The vulnerability is triggered during normal operation when the driver aggregates multiple frames into an A-MSDU. No authentication is not a direct remote code execution vector, but it degrades network performance and can lead to a denial-of-service condition.

Impact

When the leak occurs, the driver holds onto SKBs that should have been freed after transmission. Over time, this exhausts the available SKB pool, causing the network stack to stop transmitting new packets temporarily. The driver does have a timeout mechanism that eventually recovers, but the network stall can be disruptive. The fix disables txs for A-MSDU frames to prevent the leak entirely.

Mitigation

The fix is included in the Linux kernel stable tree via commits [1] and [2]. Users should update their kernel to a version containing these commits. No workaround is available other than applying the patch or disabling A-MSDU aggregation (which may reduce performance). The vulnerability is not known to be exploited in the wild and is not listed on CISA KEV-listed.