CVE-2026-23315
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access.
[fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing frame-length check in mt76_connac2_mac_write_txwi_80211() can lead to out-of-bounds access when processing certain Wi-Fi management frames.
Vulnerability
Description
In the Linux kernel, an out-of-bounds (oob) access vulnerability exists in the MediaTek Wi-Fi driver component mt76_connac2_mac_write_txwi_80211(). The function fails to properly validate the length of incoming frame data before accessing management frame fields. This missing check could allow an attacker to cause a read or write beyond the allocated buffer boundary, leading to memory corruption or information disclosure [1][4].
Exploitation
Conditions
An attacker would need to craft a special Wi-Fi management frame (e.g., containing an Add Block Acknowledgment (ADDBA) request) that is undersized or malformed. The vulnerable function processes such frames without verifying that the frame is long enough to contain the expected fields, such as mgmt->u.action.u.addba_req.capab. Exploitation requires the ability to inject arbitrary Wi-Fi frames that reach the driver, which typically necessitates proximity to the target device and the ability to send wireless frames to the vulnerable system [1].
Impact
A successful oob access could result in the kernel reading or writing memory outside the intended buffer. This may lead to system instability, denial of service, or potentially an elevation of privilege if the attacker can control the out-of-bounds data. The bug is classified as High severity with a CVSS v3 score of 7.1, reflecting the potential for significant impact [1].
Mitigation
The fix adds a length check to ensure the frame is sufficiently large before accessing management-specific fields. The patch has been applied to the Linux kernel stable branches, and users are advised to update to the corrected kernel versions containing the relevant commit [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.10.1,<6.1.167
- cpe:2.3:o:linux:linux_kernel:5.10:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/0fb3b94a9431a3800717e5c3b6fa2e1045a15029nvdPatch
- git.kernel.org/stable/c/4e10a730d1b511ff49723371ed6d694dd1b2c785nvdPatch
- git.kernel.org/stable/c/7ae7b093b7dba9548a3bc4766b9364b97db4732dnvdPatch
- git.kernel.org/stable/c/7b692dff8df0ba5feb8df00f27d906d6eb1fe627nvdPatch
- git.kernel.org/stable/c/84419556359bc96d3fe1623d47a64c86542566ccnvdPatch
- git.kernel.org/stable/c/9612d91f617231e03c49cb9b0c02f975a3b4f51fnvdPatch
News mentions
0No linked articles in our index yet.