CVE-2026-46248 - Vulnerability Details

- wifi: ath12k: clear stale link mapping of ahvif->links_map

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: clear stale link mapping of ahvif->links_map

When an arvif is initialized in non-AP STA mode but MLO connection
preparation fails before the arvif is created
(arvif->is_created remains false), the error path attempts to delete all
links. However, link deletion only executes when arvif->is_created is true.
As a result, ahvif retains a stale entry of arvif that is initialized but
not created.

When a new arvif is initialized with the same link id, this stale mapping
triggers the following WARN_ON.

WARNING: drivers/net/wireless/ath/ath12k/mac.c:4271 at ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k], CPU#3: wpa_supplicant/275

Call trace:
ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k] (P)
drv_change_vif_links+0xbc/0x1a4 [mac80211]
ieee80211_vif_update_links+0x54c/0x6a0 [mac80211]
ieee80211_vif_set_links+0x40/0x70 [mac80211]
ieee80211_prep_connection+0x84/0x450 [mac80211]
ieee80211_mgd_auth+0x200/0x480 [mac80211]
ieee80211_auth+0x14/0x20 [mac80211]
cfg80211_mlme_auth+0x90/0xf0 [cfg80211]
nl80211_authenticate+0x32c/0x380 [cfg80211]
genl_family_rcv_msg_doit+0xc8/0x134

Fix this issue by unassigning the link vif and clearing ahvif->links_map
if arvif is only initialized but not created.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1

Published: 2026-06-03

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs when a Wi‑Fi virtual interface in the Linux ath12k driver is partially initialized for multi‑link operation but the MLO connection preparation fails before the interface is fully created. The error‑handling path then attempts to delete all link entries only if the interface is marked as created, leaving stale entries in ahvif->links_map. A subsequent initialization of the same link ID triggers a WARN_ON in the kernel, indicating a duplicate mapping. This logic flaw does not provide code execution or privilege escalation, but it causes kernel warnings, potential driver instability, and incorrect interface state management. The weakness is identified as improper handling of data structures (CWE‑459).

Affected Systems

Linux systems running a kernel that includes the ath12k Wi‑Fi driver, particularly those using the QCN9274 hw2.0 driver. No specific kernel version range is documented in the supplied data, so all builds containing the affected ath12k code are potentially impacted.

Risk and Exploitability

A CVSS score of 5.5 classifies the issue as moderate severity. The EPSS score is less than 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating a low likelihood of exploitation in the wild. Based on the description, it is inferred that an attacker would require local or privileged access to manipulate the Wi‑Fi interface state, and that the flaw results only in kernel warnings and potential stability issues rather than direct denial of service or information disclosure. System administrators should address the issue promptly to eliminate the warning and mitigate potential cascading instability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`81e4be30544ee7e8da80e9aae7acd69d3be6d05a`	affected	< da289440f04c93048d82d293b180f1cacdfee2d9
`81e4be30544ee7e8da80e9aae7acd69d3be6d05a`	affected	< acd8319e834be6790e449701cb6df0f636801977
`81e4be30544ee7e8da80e9aae7acd69d3be6d05a`	affected	< 2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[81e4be30544ee7e8da80e9aae7acd69d3be6d05a,da289440f04c93048d82d293b180f1cacdfee2d9)`	affected	code_commit	—
`[81e4be30544ee7e8da80e9aae7acd69d3be6d05a,acd8319e834be6790e449701cb6df0f636801977)`	affected	code_commit	—
`[81e4be30544ee7e8da80e9aae7acd69d3be6d05a,2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.15`	affected	generic	—
`[0,6.15)`	unaffected	generic	—
`[0,6.18.*]`	unaffected	generic	—
`[0,6.19.*]`	unaffected	generic	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel PATCH that removes the stale link deletion logic in ath12k, referencing the commit logs provided in the advisory
Reboot the system to load the updated kernel and driver modules
Continuously monitor kernel logs for WARN_ON messages related to ath12k and mac80211; if the warnings persist, consider disabling MLO or contacting the vendor for further assistance

Generated by OpenCVE AI on June 10, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00121.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9
https://git.kernel.org/stable/c/acd8319e834be6790e449701cb6df0f636801977
https://git.kernel.org/stable/c/da289440f04c93048d82d293b180f1cacdfee2d9
https://lore.kernel.org/linux-cve-announce/2026060333-CVE-2026-46248-19f9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46248
https://www.cve.org/CVERecord?id=CVE-2026-46248

History

Tue, 09 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Thu, 04 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-455

Thu, 04 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-459
References		https://lore.kernel.org/linux-cve-announce/2026060333-CVE-2026-46248-19f9@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46248 https://www.cve.org/CVERecord?id=CVE-2026-46248
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 03 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-455

Wed, 03 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: clear stale link mapping of ahvif->links_map When an arvif is initialized in non-AP STA mode but MLO connection preparation fails before the arvif is created (arvif->is_created remains false), the error path attempts to delete all links. However, link deletion only executes when arvif->is_created is true. As a result, ahvif retains a stale entry of arvif that is initialized but not created. When a new arvif is initialized with the same link id, this stale mapping triggers the following WARN_ON. WARNING: drivers/net/wireless/ath/ath12k/mac.c:4271 at ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k], CPU#3: wpa_supplicant/275 Call trace: ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k] (P) drv_change_vif_links+0xbc/0x1a4 [mac80211] ieee80211_vif_update_links+0x54c/0x6a0 [mac80211] ieee80211_vif_set_links+0x40/0x70 [mac80211] ieee80211_prep_connection+0x84/0x450 [mac80211] ieee80211_mgd_auth+0x200/0x480 [mac80211] ieee80211_auth+0x14/0x20 [mac80211] cfg80211_mlme_auth+0x90/0xf0 [cfg80211] nl80211_authenticate+0x32c/0x380 [cfg80211] genl_family_rcv_msg_doit+0xc8/0x134 Fix this issue by unassigning the link vif and clearing ahvif->links_map if arvif is only initialized but not created. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1
Title		wifi: ath12k: clear stale link mapping of ahvif->links_map
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9 https://git.kernel.org/stable/c/acd8319e834be6790e449701cb6df0f636801977 https://git.kernel.org/stable/c/da289440f04c93048d82d293b180f1cacdfee2d9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-03T15:49:43.934Z

Updated: 2026-06-03T15:49:43.934Z

Reserved: 2026-05-13T15:03:33.107Z

Link: CVE-2026-46248

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-06-03T18:16:25.097

Modified: 2026-06-09T20:36:52.963

Link: CVE-2026-46248

Redhat

Severity : Low

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-46248 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T00:15:17Z

Weaknesses

CWE-459
Incomplete Cleanup
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object