Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()

mt76_connac_mcu_alloc_sta_req() allocates an skb which is expected to
be freed eventually by mt76_mcu_skb_send_msg(). However, currently if
an intermediate function fails before sending, the allocated skb is
leaked.

Specifically, mt76_connac_mcu_sta_wed_update() and
mt76_connac_mcu_sta_key_tlv() may fail, leading to an immediate memory
leak in the error path.

Fix this by explicitly freeing the skb in these error paths.
Commit 7c0f63fe37a5 ("wifi: mt76: mt7996: fix memory leak on
mt7996_mcu_sta_key_tlv error") made a similar change.

Compile tested only. Issue found using a prototype static analysis tool
and code review.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel implementation of the mt76 wireless driver allocates a socket buffer for MCU messages but does not always free it when an intermediate helper fails. The leaked buffer remains in memory until reclaimed, causing a gradual leak of kernel memory. This represents a CWE‑401 memory‑leak weakness that can lead to resource exhaustion and system instability when the failure path is exercised.

Affected Systems

All Linux kernel distributions that ship the mt76 family of wireless drivers—including mt7996 devices—are potentially affected. The issue is present in any kernel version compiled with this driver before the patch that frees the skb on error. No specific kernel version range was supplied; the CPE entry shows a generic linux_kernel match.

Risk and Exploitability

Because the vulnerability only manifests when the driver’s internal error paths are triggered, exploitation requires interaction with the wireless subsystem, typically through crafted frames or normal operation that causes a helper to fail. The CVSS score of 5.5 indicates medium severity, while the EPSS score of < 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, further indicating limited current threat. Nonetheless, the memory leak can accumulate over time, especially on systems with sustained traffic or misbehaving firmware, potentially degrading performance or forcing a reboot. The unpatched mt76 driver on any Linux kernel that processes wireless packets remains vulnerable to memory exhaustion over prolonged use.

Generated by OpenCVE AI on June 26, 2026 at 02:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that includes the patch that frees the skb on error (e.g., the commit with id 7c0f63fe37a5 or later).
  • If using a custom kernel build, cherry‑pick the fix that adds explicit skb freeing in mt76_connac_mcu_sta_wed_update and mt76_connac_mcu_sta_key_tlv.
  • If a kernel update cannot be applied immediately, consider disabling the mt76 wireless interface or the driver to prevent further leaks and monitor kernel memory usage for signs of exhaustion.

Generated by OpenCVE AI on June 26, 2026 at 02:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req() mt76_connac_mcu_alloc_sta_req() allocates an skb which is expected to be freed eventually by mt76_mcu_skb_send_msg(). However, currently if an intermediate function fails before sending, the allocated skb is leaked. Specifically, mt76_connac_mcu_sta_wed_update() and mt76_connac_mcu_sta_key_tlv() may fail, leading to an immediate memory leak in the error path. Fix this by explicitly freeing the skb in these error paths. Commit 7c0f63fe37a5 ("wifi: mt76: mt7996: fix memory leak on mt7996_mcu_sta_key_tlv error") made a similar change. Compile tested only. Issue found using a prototype static analysis tool and code review.
Title wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:38.536Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53102

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53102 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:30:17Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime