{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23315", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.994Z", "datePublished": "2026-03-25T10:27:10.115Z", "dateUpdated": "2026-03-25T10:27:10.115Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:10.115Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob\naccess.\n\n[fix check to also cover mgmt->u.action.u.addba_req.capab,\ncorrect Fixes tag]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c"], "versions": [{"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "84419556359bc96d3fe1623d47a64c86542566cc", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "7ae7b093b7dba9548a3bc4766b9364b97db4732d", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "7b692dff8df0ba5feb8df00f27d906d6eb1fe627", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "9612d91f617231e03c49cb9b0c02f975a3b4f51f", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "0fb3b94a9431a3800717e5c3b6fa2e1045a15029", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "4e10a730d1b511ff49723371ed6d694dd1b2c785", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c"], "versions": [{"version": "5.10", "status": "affected"}, {"version": "0", "lessThan": "5.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/84419556359bc96d3fe1623d47a64c86542566cc"}, {"url": "https://git.kernel.org/stable/c/7ae7b093b7dba9548a3bc4766b9364b97db4732d"}, {"url": "https://git.kernel.org/stable/c/7b692dff8df0ba5feb8df00f27d906d6eb1fe627"}, {"url": "https://git.kernel.org/stable/c/9612d91f617231e03c49cb9b0c02f975a3b4f51f"}, {"url": "https://git.kernel.org/stable/c/0fb3b94a9431a3800717e5c3b6fa2e1045a15029"}, {"url": "https://git.kernel.org/stable/c/4e10a730d1b511ff49723371ed6d694dd1b2c785"}], "title": "wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob\naccess.\n\n[fix check to also cover mgmt->u.action.u.addba_req.capab,\ncorrect Fixes tag]"}], "id": "CVE-2026-23315", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:27.897", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0fb3b94a9431a3800717e5c3b6fa2e1045a15029"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4e10a730d1b511ff49723371ed6d694dd1b2c785"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7ae7b093b7dba9548a3bc4766b9364b97db4732d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7b692dff8df0ba5feb8df00f27d906d6eb1fe627"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/84419556359bc96d3fe1623d47a64c86542566cc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9612d91f617231e03c49cb9b0c02f975a3b4f51f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T12:40:51.091690+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the mt76 driver patch", "Verify that the updated kernel contains the corrected mt76 driver", "If an immediate update is not possible, disable wireless networking or unload the mt76 module until the fix is in place", "Continuously monitor vendor advisories for further information"], "summary": {"action": "Patch Kernel", "impact": "Kernel memory corruption via malformed Wi\u2011Fi frames"}, "threat_synthesis": {"affected_systems": "The issue affects all Linux kernel builds that include the unpatched mt76 driver for MediaTek Wi\u2011Fi chipsets. Any system running a kernel version that incorporates the original mt76_connac2_mac_write_txwi_80211 implementation is vulnerable. The vendor/product information is listed in the CNA as Linux: Linux, and no specific kernel version numbers are provided, so all current releases that still contain the legacy code remain at risk.", "description_and_impact": "The Linux kernel's mt76 wireless driver contains a vulnerability that can allow an out-of-bounds memory access when processing certain Wi\u2011Fi management frames. If a received frame is shorter than the driver expects, the code may read memory beyond the frame boundaries, potentially corrupting kernel memory. The weakness arises from insufficient validation of frame length before accessing internal fields. Such corruption could destabilize the system or create opportunities for further exploitation, although no specific escalation path is documented in the release notes.", "risk_and_exploitability": "The CVE scoring data does not provide a CVSS or EPSS value, and the vulnerability is not listed in the CISA KEV catalog, making it unclear how frequently this flaw is being exploited in the wild. However, the attack vector can be inferred to be remote over the wireless interface, as the driver processes frames transmitted to the device. An attacker with physical proximity or wireless access could craft a malformed frame to trigger the out-of-bounds read. While the exact likelihood of exploitation is uncertain, the possibility of kernel memory corruption represents a serious risk to affected systems."}}}}, "created": "2026-03-25T21:15:14.175408+00:00", "updated": "2026-03-25T21:15:14.175449+00:00", "vendors": [], "weaknesses": ["CWE-119"]}