CVE-2026-23325
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()
Check frame length before accessing the mgmt fields in mt7996_mac_write_txwi_80211 in order to avoid a possible oob access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, an oob access in mt76 mt7996 driver's mt7996_mac_write_txwi_80211() function can occur due to missing frame length check.
Vulnerability
Analysis
CVE-2026-23325 is an out-of-bounds (oob) access vulnerability in the Linux kernel's MediaTek MT7996 Wi-Fi driver (mt76). The flaw resides in the mt7996_mac_write_txwi_80211() function, which writes transmit descriptor information for 802.11 frames. The root cause is an insufficient frame length check before accessing management frame fields, potentially leading to an oob read or write when processing unusually short or malformed frames [1].
Exploitation
Details
To trigger the vulnerability, an attacker would need the ability to transmit specially crafted 802.11 management frames to a device using the MT7996 chipset. This could be achieved by being within radio range of the target and sending a malformed frame that bypasses normal length validation. No authentication is required, as the vulnerability lies in the frame processing path before any security checks are applied.
Impact
A successful exploit could allow the attacker to read out-of-bounds memory, potentially leaking sensitive data, or cause a system crash (denial of service). In worst-case scenarios, oob write primitives might be leveraged for code execution, though the CVE description only explicitly mentions oob access.
Mitigation
The fix involves adding a frame length check before mt7996_mac_write_txwi_80211() accesses mgmt fields. The patch has been applied to the stable kernel tree [1]. Users should update to a kernel version containing this patch or apply the specific commit to their kernel build.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.2.1,<6.6.130
- cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/45661d22639c4b747ef1bd0822b8e76e421a808anvdPatch
- git.kernel.org/stable/c/60862846308627e9e15546bb647a00de44deb27bnvdPatch
- git.kernel.org/stable/c/a6605f61913155e130bfd04d438c3ce1a572fb0fnvdPatch
- git.kernel.org/stable/c/ca1adc04fc2cb1d9f1842e429debe6a520d54966nvdPatch
- git.kernel.org/stable/c/f4cdf6b43689e901a341e7147fcfb25057c38eaenvdPatch
News mentions
0No linked articles in our index yet.