Impact
The kernel implementation of the mt76 wireless driver allocates a socket buffer for MCU messages but does not always free it when an intermediate helper fails. The leaked buffer remains in memory until reclaimed, causing a gradual leak of kernel memory. This represents a CWE‑401 memory‑leak weakness that can lead to resource exhaustion and system instability when the failure path is exercised.
Affected Systems
All Linux kernel distributions that ship the mt76 family of wireless drivers—including mt7996 devices—are potentially affected. The issue is present in any kernel version compiled with this driver before the patch that frees the skb on error. No specific kernel version range was supplied; the CPE entry shows a generic linux_kernel match.
Risk and Exploitability
Because the vulnerability only manifests when the driver’s internal error paths are triggered, exploitation requires interaction with the wireless subsystem, typically through crafted frames or normal operation that causes a helper to fail. The CVSS score of 5.5 indicates medium severity, while the EPSS score of < 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, further indicating limited current threat. Nonetheless, the memory leak can accumulate over time, especially on systems with sustained traffic or misbehaving firmware, potentially degrading performance or forcing a reboot. The unpatched mt76 driver on any Linux kernel that processes wireless packets remains vulnerable to memory exhaustion over prolonged use.
OpenCVE Enrichment