HIGH
mt76 Action Frame OOB
CVE-2026-23325
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt7996_mac_write_txwi_80211 in order to avoid a possible oob access.
02KernelScan AI Analysis
Risk summary
An attacker within wireless range could send specially crafted 802.11 action frames to trigger out-of-bounds memory reads in the kernel. This could potentially lead to information disclosure by reading kernel memory contents or system crashes. The vulnerability affects MediaTek MT7996 Wi-Fi 7 devices and requires the attacker to be within wireless transmission range.
Vulnerability analysis
Root Cause: The mt7996_mac_write_txwi_80211() function accesses management frame fields (mgmt->u.action.category and mgmt->u.action.u.addba_req.action_code) without first validating that the skb buffer contains sufficient data. This can lead to reading beyond the allocated buffer boundaries when processing malformed or truncated 802.11 action frames.
Attack Surface: This vulnerability affects systems with MediaTek MT7996 Wi-Fi 7 hardware. The attack surface includes any 802.11 action frames received by the wireless interface, which could come from nearby wireless devices or networks. The vulnerability is triggered during frame processing in the kernel's wireless stack.
Fix Mechanism: The patch adds a length check 'skb->len >= IEEE80211_MIN_ACTION_SIZE + 1' before accessing the action frame fields. This ensures the buffer contains at least the minimum required bytes for an action frame plus one additional byte needed to safely access the action_code field.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.77 | ca1adc04fc2c |
| 6.18 | 6.18.17 | f4cdf6b43689 |
| 6.19 | 6.19.7 | 45661d22639c |
| 6.6 | 6.6.130 | a6605f619131 |
| mainline | 7.0 | 608628463086 |