CVE-2026-46136
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921: fix a potential clc buffer length underflow
The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC.
This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A potential buffer length underflow in mt7921's CLC country power parsing can cause an infinite loop or driver init failure.
Vulnerability
In the Linux kernel's mt76 driver, specifically in mt7921, the function that parses the country power setting (CLC table) uses a buf_len variable to limit iterations. Due to changes in the power table structure, the buf_len may underflow (become negative or wrap) under certain conditions [1]. This affects kernel versions that include the vulnerable driver code before the fix commit 5373f8b19e56.
Exploitation
An attacker would need to influence or provide a crafted CLC power table, which typically requires some form of firmware or calibration data manipulation. The underflow occurs during driver initialization when parsing the table, and no special user interaction is required beyond the hardware/firmware conditions being met.
Impact
A successful underflow leads to either an almost infinite loop (causing denial of service) or an invalid power setting that causes driver initialization failure, preventing Wi-Fi functionality on the affected device. The impact is primarily availability (denial of service) with no direct privilege escalation or data disclosure mentioned.
Mitigation
A fix has been applied in the Linux kernel stable commit 5373f8b19e56 [1]. Users should update to a kernel version that includes this commit. No workarounds have been described; the vulnerability is not listed on the CISA KEV.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
100aa63d33742bwifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index edc1df3c071e56..663b245f2891f7 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
e451c325b000wifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index d1b1b8f767fc89..80a07e5f3a27ed 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1155,6 +1155,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
90cc573fd2f4wifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index 8d3f3c8b1a8899..46b3b8d91cd84e 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1344,6 +1344,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
a0111847f0b4wifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index 833d0ab6423034..8442dbd2ee23f8 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
5373f8b19e56wifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index 833d0ab6423034..8442dbd2ee23f8 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
a0111847f0b4wifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index 833d0ab6423034..8442dbd2ee23f8 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
5373f8b19e56wifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index 833d0ab6423034..8442dbd2ee23f8 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
90cc573fd2f4wifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index 8d3f3c8b1a8899..46b3b8d91cd84e 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1344,6 +1344,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
e451c325b000wifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index d1b1b8f767fc89..80a07e5f3a27ed 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1155,6 +1155,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
0aa63d33742bwifi: mt76: mt7921: fix a potential clc buffer length underflow
1 file changed · +3 −1
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c+3 −1 modifieddiff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c index edc1df3c071e56..663b245f2891f7 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_dev *dev, u8 *alpha2, u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] || -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing bounds check before subtracting offset from buf_len allows integer underflow when parsing a malformed CLC power table entry."
Attack vector
An attacker who can supply or influence the CLC (country power configuration) table — for example by providing a modified firmware or power table blob — can craft an entry where `rule->len` is larger than the remaining `buf_len`. When `buf_len` underflows (wraps to a very large unsigned value), the loop continues almost indefinitely or processes invalid data, causing driver initialization failure [patch_id=2898387]. The precondition is that the attacker controls the CLC power table data that the driver parses.
Affected code
The vulnerability is in the `__mt7921_mcu_set_clc` function in `drivers/net/wireless/mediatek/mt76/mt7921/mcu.c` [patch_id=2898387]. The loop that iterates over country power setting entries subtracts `offset` (derived from `rule->len` and `sizeof(*rule)`) from `buf_len` without first checking whether `buf_len` is smaller than `offset`.
What the fix does
The patch adds a bounds check before the subtraction: `if (buf_len < offset) break;` [patch_id=2898387]. This ensures that if the remaining buffer length is smaller than the size of the next rule entry (including its variable-length data), the loop exits immediately instead of underflowing `buf_len`. The fix prevents the infinite loop and the invalid power setting that previously resulted from the underflow.
Preconditions
- inputAttacker must be able to supply or modify the CLC (country power configuration) table data that the mt7921 driver parses.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0aa63d33742b805d1a218d18d12b983cce4b2f7bnvd
- git.kernel.org/stable/c/5373f8b19e568b5c217832b9bbef165bd2b2df14nvd
- git.kernel.org/stable/c/90cc573fd2f46ddbc2c329e7814b5ba3deb7b939nvd
- git.kernel.org/stable/c/a0111847f0b4f6023f6dd320114697514e024ba3nvd
- git.kernel.org/stable/c/e451c325b000b9a0081fd93bc6d103d6943d4b55nvd
News mentions
0No linked articles in our index yet.