{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23325", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:18.204Z", "dateUpdated": "2026-03-25T10:27:18.204Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:18.204Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt7996_mac_write_txwi_80211 in order to avoid a possible oob access."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt7996/mac.c"], "versions": [{"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "a6605f61913155e130bfd04d438c3ce1a572fb0f", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "ca1adc04fc2cb1d9f1842e429debe6a520d54966", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "f4cdf6b43689e901a341e7147fcfb25057c38eae", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "45661d22639c4b747ef1bd0822b8e76e421a808a", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "60862846308627e9e15546bb647a00de44deb27b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt7996/mac.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a6605f61913155e130bfd04d438c3ce1a572fb0f"}, {"url": "https://git.kernel.org/stable/c/ca1adc04fc2cb1d9f1842e429debe6a520d54966"}, {"url": "https://git.kernel.org/stable/c/f4cdf6b43689e901a341e7147fcfb25057c38eae"}, {"url": "https://git.kernel.org/stable/c/45661d22639c4b747ef1bd0822b8e76e421a808a"}, {"url": "https://git.kernel.org/stable/c/60862846308627e9e15546bb647a00de44deb27b"}], "title": "wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt7996_mac_write_txwi_80211 in order to avoid a possible oob access."}], "id": "CVE-2026-23325", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:29.537", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/45661d22639c4b747ef1bd0822b8e76e421a808a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/60862846308627e9e15546bb647a00de44deb27b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a6605f61913155e130bfd04d438c3ce1a572fb0f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ca1adc04fc2cb1d9f1842e429debe6a520d54966"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f4cdf6b43689e901a341e7147fcfb25057c38eae"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()", "id": "2451213", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451213"}, "csaw": false, "cwe": "CWE-805", "details": ["A flaw was found in the Linux kernel's mt76 WiFi driver, specifically within the mt7996 component. This vulnerability, an out-of-bounds (OOB) access, occurs because the driver does not adequately check the length of incoming data frames before attempting to read or write to memory. A local attacker could exploit this weakness to trigger memory corruption, which may lead to a system crash (Denial of Service) or other unpredictable system behavior."], "name": "CVE-2026-23325", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23325\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23325\nhttps://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23325-4e3b@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-03-25T12:16:34.432270+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the commit adding the frame\u2011length validation for the mt76 mt7996 driver.", "If a kernel update cannot be applied immediately, disable the affected WiFi interface or configure the driver to ignore management frames to prevent the out\u2011of\u2011bounds read.", "Verify that the patched kernel version is running by checking the commit hash or kernel build information; confirm remediation with a security scan."], "summary": {"action": "Patch Immediately", "impact": "Out-of-Bounds Memory Access in WiFi Driver"}, "threat_synthesis": {"affected_systems": "Linux kernels that include the mt76 mt7996 driver and have not incorporated the commit that inserts a frame\u2011length check are vulnerable. Because the kernel source is shared across vendors, all distributions that ship the affected driver code before the backport are impacted.", "description_and_impact": "A defect in the Linux kernel\u2019s mt76 mt7996 driver allows a malicious WiFi frame to cause an out\u2011of\u2011bounds read when the frame length is unchecked before accessing certain management fields. The unchecked read could corrupt kernel memory, potentially leading to a system crash or instability, but the CVE data does not indicate privilege escalation or data disclosure.", "risk_and_exploitability": "The vulnerability requires an attacker who can inject crafted 802.11 frames into the target device\u2019s wireless interface, implying a need for proximity or network access. No public exploits are listed in the CISA KEV catalog and an EPSS score is not provided, indicating limited evidence of widespread exploitation. The lack of a CVSS score in the advisory implies that severity could be moderate to high, given that kernel memory corruption can destabilize the system. Applying the patch that adds the frame\u2011length check removes the risk."}}}}, "created": "2026-03-25T21:27:36.129955+00:00", "updated": "2026-03-25T21:27:36.130065+00:00", "vendors": [], "weaknesses": ["CWE-119"]}