{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23315", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.994Z", "datePublished": "2026-03-25T10:27:10.115Z", "dateUpdated": "2026-03-25T10:27:10.115Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:10.115Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob\naccess.\n\n[fix check to also cover mgmt->u.action.u.addba_req.capab,\ncorrect Fixes tag]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c"], "versions": [{"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "84419556359bc96d3fe1623d47a64c86542566cc", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "7ae7b093b7dba9548a3bc4766b9364b97db4732d", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "7b692dff8df0ba5feb8df00f27d906d6eb1fe627", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "9612d91f617231e03c49cb9b0c02f975a3b4f51f", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "0fb3b94a9431a3800717e5c3b6fa2e1045a15029", "status": "affected", "versionType": "git"}, {"version": "577dbc6c656da6997dddc6cf842b7954588f2d4e", "lessThan": "4e10a730d1b511ff49723371ed6d694dd1b2c785", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c"], "versions": [{"version": "5.10", "status": "affected"}, {"version": "0", "lessThan": "5.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/84419556359bc96d3fe1623d47a64c86542566cc"}, {"url": "https://git.kernel.org/stable/c/7ae7b093b7dba9548a3bc4766b9364b97db4732d"}, {"url": "https://git.kernel.org/stable/c/7b692dff8df0ba5feb8df00f27d906d6eb1fe627"}, {"url": "https://git.kernel.org/stable/c/9612d91f617231e03c49cb9b0c02f975a3b4f51f"}, {"url": "https://git.kernel.org/stable/c/0fb3b94a9431a3800717e5c3b6fa2e1045a15029"}, {"url": "https://git.kernel.org/stable/c/4e10a730d1b511ff49723371ed6d694dd1b2c785"}], "title": "wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob\naccess.\n\n[fix check to also cover mgmt->u.action.u.addba_req.capab,\ncorrect Fixes tag]"}], "id": "CVE-2026-23315", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:27.897", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0fb3b94a9431a3800717e5c3b6fa2e1045a15029"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4e10a730d1b511ff49723371ed6d694dd1b2c785"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7ae7b093b7dba9548a3bc4766b9364b97db4732d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7b692dff8df0ba5feb8df00f27d906d6eb1fe627"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/84419556359bc96d3fe1623d47a64c86542566cc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9612d91f617231e03c49cb9b0c02f975a3b4f51f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()", "id": "2451177", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451177"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in the Linux kernel's `mt76` Wi-Fi driver. This vulnerability, an out-of-bounds (OOB) access, occurs due to an insufficient check of frame length before accessing management fields within the `mt76_connac2_mac_write_txwi_80211()` function. An attacker could potentially exploit this to cause memory corruption, which may lead to system instability or a denial of service (DoS)."], "name": "CVE-2026-23315", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23315\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23315\nhttps://lore.kernel.org/linux-cve-announce/2026032529-CVE-2026-23315-9ac1@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[577dbc6c656da6997dddc6cf842b7954588f2d4e,84419556359bc96d3fe1623d47a64c86542566cc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[577dbc6c656da6997dddc6cf842b7954588f2d4e,7ae7b093b7dba9548a3bc4766b9364b97db4732d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[577dbc6c656da6997dddc6cf842b7954588f2d4e,7b692dff8df0ba5feb8df00f27d906d6eb1fe627)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[577dbc6c656da6997dddc6cf842b7954588f2d4e,9612d91f617231e03c49cb9b0c02f975a3b4f51f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[577dbc6c656da6997dddc6cf842b7954588f2d4e,0fb3b94a9431a3800717e5c3b6fa2e1045a15029)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[577dbc6c656da6997dddc6cf842b7954588f2d4e,4e10a730d1b511ff49723371ed6d694dd1b2c785)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.10"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.10)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc3,*)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T02:25:18.591317+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the commit patching the out\u2011of\u2011bounds check.", "Verify that the mt76 module has been updated by inspecting the kernel source or using \"modinfo\" to confirm patched version.", "If an immediate kernel upgrade is unavailable, disable the Wi\u2011Fi interface or the mt76 driver until the patch is applied.", "Monitor kernel logs for warnings or panics related to mt76 to detect exploitation attempts."], "summary": {"action": "Patch Immediately", "impact": "Out\u2011of\u2011bounds memory access"}, "threat_synthesis": {"affected_systems": "The affected kernels are those carrying the mt76 driver before the patch referenced in the commit logs. All Linux distributions using the affected kernel code and Wi\u2011Fi hardware that uses MediaTek's Connac2 chipset are exposed. Because no specific kernel version is given, any kernel version that includes older mt76 code can be considered impacted until the patch is applied.", "description_and_impact": "The vulnerability originates from the mt76 Wi\u2011Fi driver for MediaTek chips. A missing length check permits an attacker to craft a management frame with an oversized payload, causing the function mt76_connac2_mac_write_txwi_80211 to read beyond the allocated buffer. This out\u2011of\u2011bounds read can corrupt kernel memory, potentially allowing privilege escalation or denial of service.", "risk_and_exploitability": "The assessment shows a moderate level of risk typical for out\u2011of\u2011bounds memory access, but the EPSS indicates a low likelihood of exploitation (<1%). The issue is not currently listed in the CISA KEV catalog, suggesting no known active exploitation. Successful exploitation would require an attacker to send a crafted Wi\u2011Fi frame or to gain local access to the system, making the risk dependent on network exposure and device security posture."}}}}, "created": "2026-03-25T21:15:14.175408+00:00", "updated": "2026-03-26T12:16:42.304423+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}