CVE-2025-68380
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix peer HE MCS assignment
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities [...] Supported HE-MCS and NSS Set [...] Rx and Tx MCS Maps 160 MHz [...] Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A swapped transmit/receive HE MCS assignment in ath11k can cause a firmware crash when connecting to an AP advertising 0xffff for 160 MHz Tx MCS.
Root
Cause In the Linux kernel's ath11k_wmi_send_peer_assoc_cmd(), the HE MCS fields were incorrectly swapped: the peer's transmit MCS was sent to firmware as receive MCS, and the peer's receive MCS as transmit MCS. This contradicts the firmware's expected definition. The fix corrects the assignment order and also ensures that the HE rate control mask (which limits the station's own transmit MCS) is applied to the peer's receive MCS field, as intended.
Exploitation
An attacker can trigger this bug by acting as a misconfigured or malicious AP that advertises an invalid 160 MHz transmit MCS map value of 0xffff (meaning "not supported"). When a station running a vulnerable ath11k driver associates with such an AP, the driver passes this invalid value into the firmware's he_mcs->rx_mcs_set field, causing the firmware to crash. No special privileges are required beyond the ability to influence an AP's HE capabilities advertisement.
Impact
Successful exploitation results in a firmware crash on the station, effectively disabling Wi-Fi connectivity and requiring a driver/firmware reload or system reboot to recover. This constitutes a denial-of-service (DoS) condition. The vulnerability is limited to ath11k-based devices (e.g., WCN6855, QCN9274) and does not allow arbitrary code execution or information disclosure based on the referenced patches.
Mitigation
The fix has been applied to the Linux kernel stable branches as commits [1][2]. Users should update to a kernel version containing the patch. No workaround is documented; affected devices must either avoid connecting to APs with the malformed MCS map or apply the kernel patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2bnvd
- git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2nvd
- git.kernel.org/stable/c/4304bd7a334e981f189b9973056a58f84cc2b482nvd
- git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04nvd
- git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ffnvd
- git.kernel.org/stable/c/92791290e4f6a1de25d35af792ab8918a70737f6nvd
News mentions
0No linked articles in our index yet.