HIGH Published 2026-03-25

mt76 WiFi Frame OOB Read

CVE-2026-23315

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag]

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker on the same wireless network could send specially crafted WiFi management frames to cause the kernel to read beyond allocated memory boundaries. This could potentially lead to information disclosure or system crashes, affecting the availability and confidentiality of WiFi-enabled systems using MediaTek wireless hardware.

Affecteddrivers/net/wireless/mediatek/mt76/mt76_connac_mac.c

Vulnerability analysis

Root Cause: The mt76_connac2_mac_write_txwi_80211() function accesses management frame fields (mgmt->u.action.u.addba_req.capab) without first validating that the skb buffer contains sufficient data. When processing IEEE 802.11 action frames, the code assumes the frame is large enough to contain the ADDBA request structure, but malformed or truncated frames could cause out-of-bounds memory reads.

Attack Surface: This vulnerability affects WiFi-enabled systems using MediaTek MT76 wireless drivers. An attacker with the ability to send malformed 802.11 management frames (either as an associated client or through frame injection) could trigger the out-of-bounds read. The attack requires local wireless network access but does not require authentication or special privileges on the target system.

Fix Mechanism: The patch adds a length check 'skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 + 1 + 2' before accessing the management frame fields. This ensures the buffer contains at least the minimum action frame size plus the additional bytes needed for the category (1 byte), action code (1 byte), and capability field (2 bytes) of the ADDBA request structure.

03Fix Versions

Branch	Fixed in	Patch commit
6.1	6.1.167	`84419556359b`
6.12	6.12.77	`7b692dff8df0`
6.18	6.18.17	`9612d91f6172`
6.19	6.19.7	`0fb3b94a9431`
6.6	6.6.130	`7ae7b093b7db`
mainline	7.0	`4e10a730d1b5`