Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: fix deadlock in remain-on-channel

mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel()
while already holding dev->mutex. Since mt76_set_channel() also acquires
dev->mutex, this results in a deadlock.

Use __mt76_set_channel() instead of mt76_set_channel().
Add cancel_delayed_work_sync() for mac_work before acquiring the mutex
in mt76_remain_on_channel() to prevent a secondary deadlock with the
mac_work workqueue.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A deadlock occurs in the Linux kernel’s mt76 Wi‑Fi driver when mt76_remain_on_channel() and mt76_roc_complete() invoke mt76_set_channel() while the device mutex is already held. The mt76_set_channel() function attempts to acquire the same mutex again, causing contention that stalls kernel threads. This freeze prevents normal kernel operations involving the driver and can halt network connectivity and overall system responsiveness, resulting in a denial‑of‑service condition.

Affected Systems

Linux kernel systems that include the mt76 Wi‑Fi driver are affected. The vulnerability is present in any kernel version that contains the unpatched mt76 driver code. Devices such as embedded routers and wireless adapters that rely on this driver are therefore at risk.

Risk and Exploitability

The deadlock is triggered during normal driver activity, such as remaining on a channel or completing a ROC operation. An attacker who can manipulate these actions—either through privileged network configuration or by exploiting a higher‑level vulnerability that grants kernel execution—could cause the kernel to hang, leading to a system‑wide denial of service. The risk is moderate, aligned with a CVSS score of 5.5, indicating potential system-wide denial of service if exploited. EPSS is not available and the vulnerability is not in the CISA KEV catalog, so there is no public evidence of exploitation yet, but the severity warrants immediate attention.

Generated by OpenCVE AI on June 25, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the mt76 driver fix, which replaces mt76_set_channel with __mt76_set_channel and adds cancel_delayed_work_sync before locking the mutex.
  • If a kernel update is not immediately available, apply the upstream patch to the kernel source tree and rebuild the kernel or module to incorporate the driver changes.
  • As a temporary measure, unload the mt76 module or disable Wi‑Fi hardware to avoid the deadlock while awaiting an official kernel update.

Generated by OpenCVE AI on June 25, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: fix deadlock in remain-on-channel mt76_remain_on_channel() and mt76_roc_complete() call mt76_set_channel() while already holding dev->mutex. Since mt76_set_channel() also acquires dev->mutex, this results in a deadlock. Use __mt76_set_channel() instead of mt76_set_channel(). Add cancel_delayed_work_sync() for mac_work before acquiring the mutex in mt76_remain_on_channel() to prevent a secondary deadlock with the mac_work workqueue.
Title wifi: mt76: fix deadlock in remain-on-channel
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:37.216Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53100

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53100 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T03:30:17Z

Weaknesses