VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2026-46248

CVE-2026-46248

Description

Linux kernel WiFi driver (ath12k) has a bug where stale link mappings can cause WARN_ON messages during connection setup.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel WiFi driver (ath12k) has a bug where stale link mappings can cause WARN_ON messages during connection setup.

Vulnerability

In the Linux kernel's ath12k WiFi driver, a vulnerability exists where stale link mappings can be retained. This occurs when an arvif is initialized in non-AP STA mode, but MLO connection preparation fails before the arvif is fully created. The error path attempts to delete links, but this only executes if arvif->is_created is true. Consequently, ahvif retains a stale entry for the initialized but uncreated arvif. This stale mapping can trigger a WARN_ON when a new arvif is initialized with the same link ID. Affected versions are not explicitly detailed but the fix is present in the kernel version referenced [1].

Exploitation

An attacker would need to trigger a specific network connection scenario. The vulnerability is triggered when an arvif is initialized but fails to be created during MLO connection preparation. If a subsequent initialization attempt uses the same link ID, the stale mapping will cause the WARN_ON condition to be met. This requires the attacker to be in a network position to influence or initiate these connection attempts.

Impact

The primary impact of this vulnerability is the triggering of a WARN_ON message within the ath12k driver, indicating a software assertion failure. This can lead to system instability or unexpected behavior within the WiFi subsystem. While not explicitly stated as leading to denial of service or remote code execution, such warnings can be indicative of deeper issues or potential points of failure in network operations.

Mitigation

The issue has been resolved by unassigning the link vif and clearing ahvif->links_map if the arvif is only initialized but not created. The fix is available in the Linux kernel version referenced [1]. No specific fixed version number or release date is provided, but the commit is dated 2024-05-17. No workarounds are mentioned, and the vulnerability is not listed on the KEV catalog.

References
  1. Making sure you're not a bot!

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
da289440f04c

wifi: ath12k: clear stale link mapping of ahvif->links_map

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAaradhana SahuJan 27, 2026Fixed in 6.18.14via kernel-cna
commit
1 file changed · +3 2
  • drivers/net/wireless/ath/ath12k/mac.c+3 2 modified
    diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 256ffae4d7f7d..b97469dca0467 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -4004,8 +4004,10 @@ ath12k_mac_op_change_vif_links(struct ieee80211_hw *hw,
 		if (WARN_ON(!arvif))
 			return -EINVAL;
 
-		if (!arvif->is_created)
+		if (!arvif->is_created) {
+			ath12k_mac_unassign_link_vif(arvif);
 			continue;
+		}
 
 		if (WARN_ON(!arvif->ar))
 			return -EINVAL;
-- 
cgit 1.3-korg
acd8319e834b

wifi: ath12k: clear stale link mapping of ahvif->links_map

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAaradhana SahuJan 27, 2026Fixed in 6.19.4via kernel-cna
commit
1 file changed · +3 2
  • drivers/net/wireless/ath/ath12k/mac.c+3 2 modified
    diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index e0e49f782bf8d..63684ff9332d4 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -4175,8 +4175,10 @@ ath12k_mac_op_change_vif_links(struct ieee80211_hw *hw,
 		if (WARN_ON(!arvif))
 			return -EINVAL;
 
-		if (!arvif->is_created)
+		if (!arvif->is_created) {
+			ath12k_mac_unassign_link_vif(arvif);
 			continue;
+		}
 
 		if (WARN_ON(!arvif->ar))
 			return -EINVAL;
-- 
cgit 1.3-korg
2c1ba9c2adf0

wifi: ath12k: clear stale link mapping of ahvif->links_map

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAaradhana SahuJan 27, 2026Fixed in 7.0via kernel-cna
commit
1 file changed · +3 2
  • drivers/net/wireless/ath/ath12k/mac.c+3 2 modified
    diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 794538c7c0ab4..6c534f0d59cef 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -4281,8 +4281,10 @@ ath12k_mac_op_change_vif_links(struct ieee80211_hw *hw,
 		if (WARN_ON(!arvif))
 			return -EINVAL;
 
-		if (!arvif->is_created)
+		if (!arvif->is_created) {
+			ath12k_mac_unassign_link_vif(arvif);
 			continue;
+		}
 
 		if (WARN_ON(!arvif->ar))
 			return -EINVAL;
-- 
cgit 1.3-korg
acd8319e834b

wifi: ath12k: clear stale link mapping of ahvif->links_map

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAaradhana SahuJan 27, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/net/wireless/ath/ath12k/mac.c+3 2 modified
    diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index e0e49f782bf8d..63684ff9332d4 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -4175,8 +4175,10 @@ ath12k_mac_op_change_vif_links(struct ieee80211_hw *hw,
 		if (WARN_ON(!arvif))
 			return -EINVAL;
 
-		if (!arvif->is_created)
+		if (!arvif->is_created) {
+			ath12k_mac_unassign_link_vif(arvif);
 			continue;
+		}
 
 		if (WARN_ON(!arvif->ar))
 			return -EINVAL;
-- 
cgit 1.3-korg
2c1ba9c2adf0

wifi: ath12k: clear stale link mapping of ahvif->links_map

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAaradhana SahuJan 27, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/net/wireless/ath/ath12k/mac.c+3 2 modified
    diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 794538c7c0ab4..6c534f0d59cef 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -4281,8 +4281,10 @@ ath12k_mac_op_change_vif_links(struct ieee80211_hw *hw,
 		if (WARN_ON(!arvif))
 			return -EINVAL;
 
-		if (!arvif->is_created)
+		if (!arvif->is_created) {
+			ath12k_mac_unassign_link_vif(arvif);
 			continue;
+		}
 
 		if (WARN_ON(!arvif->ar))
 			return -EINVAL;
-- 
cgit 1.3-korg
da289440f04c

wifi: ath12k: clear stale link mapping of ahvif->links_map

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAaradhana SahuJan 27, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/net/wireless/ath/ath12k/mac.c+3 2 modified
    diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 256ffae4d7f7d..b97469dca0467 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -4004,8 +4004,10 @@ ath12k_mac_op_change_vif_links(struct ieee80211_hw *hw,
 		if (WARN_ON(!arvif))
 			return -EINVAL;
 
-		if (!arvif->is_created)
+		if (!arvif->is_created) {
+			ath12k_mac_unassign_link_vif(arvif);
 			continue;
+		}
 
 		if (WARN_ON(!arvif->ar))
 			return -EINVAL;
-- 
cgit 1.3-korg

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.