{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23325", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:18.204Z", "dateUpdated": "2026-03-25T10:27:18.204Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:18.204Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt7996_mac_write_txwi_80211 in order to avoid a possible oob access."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt7996/mac.c"], "versions": [{"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "a6605f61913155e130bfd04d438c3ce1a572fb0f", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "ca1adc04fc2cb1d9f1842e429debe6a520d54966", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "f4cdf6b43689e901a341e7147fcfb25057c38eae", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "45661d22639c4b747ef1bd0822b8e76e421a808a", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "60862846308627e9e15546bb647a00de44deb27b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt7996/mac.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a6605f61913155e130bfd04d438c3ce1a572fb0f"}, {"url": "https://git.kernel.org/stable/c/ca1adc04fc2cb1d9f1842e429debe6a520d54966"}, {"url": "https://git.kernel.org/stable/c/f4cdf6b43689e901a341e7147fcfb25057c38eae"}, {"url": "https://git.kernel.org/stable/c/45661d22639c4b747ef1bd0822b8e76e421a808a"}, {"url": "https://git.kernel.org/stable/c/60862846308627e9e15546bb647a00de44deb27b"}], "title": "wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt7996_mac_write_txwi_80211 in order to avoid a possible oob access."}], "id": "CVE-2026-23325", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:29.537", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/45661d22639c4b747ef1bd0822b8e76e421a808a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/60862846308627e9e15546bb647a00de44deb27b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a6605f61913155e130bfd04d438c3ce1a572fb0f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ca1adc04fc2cb1d9f1842e429debe6a520d54966"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f4cdf6b43689e901a341e7147fcfb25057c38eae"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()", "id": "2451213", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451213"}, "csaw": false, "cwe": "CWE-805", "details": ["A flaw was found in the Linux kernel's mt76 WiFi driver, specifically within the mt7996 component. This vulnerability, an out-of-bounds (OOB) access, occurs because the driver does not adequately check the length of incoming data frames before attempting to read or write to memory. A local attacker could exploit this weakness to trigger memory corruption, which may lead to a system crash (Denial of Service) or other unpredictable system behavior."], "name": "CVE-2026-23325", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23325\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23325\nhttps://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23325-4e3b@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,a6605f61913155e130bfd04d438c3ce1a572fb0f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,ca1adc04fc2cb1d9f1842e429debe6a520d54966)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,f4cdf6b43689e901a341e7147fcfb25057c38eae)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,45661d22639c4b747ef1bd0822b8e76e421a808a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,60862846308627e9e15546bb647a00de44deb27b)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T02:22:42.342612+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the patch for mt7996 in the mt76 driver (refer to commit 45661d22639c4b747ef1bd0822b8e76e421a808a).", "Verify that the mt76 driver in the updated kernel contains the frame\u2011length check before accessing management fields.", "Reboot the affected device to ensure the updated kernel is loaded and the vulnerability is mitigated."], "summary": {"action": "Apply Patch", "impact": "Out-of-bounds read exposing sensitive data or causing a crash"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the mt76 driver for the mt7996 Wi\u2011Fi chip are affected. The specific kernel versions are not enumerated in the CVE data, but any kernel build that ships the unpatched mt7996 driver is vulnerable.", "description_and_impact": "The vulnerability lies in the mt7996_wifi driver within the Linux kernel, where the function mt7996_mac_write_txwi_80211() fails to validate the length of incoming frames before accessing management fields. This oversight allows an attacker to trigger an out\u2011of\u2011bounds read, potentially exposing memory contents that may contain sensitive information or creating a denial\u2011of\u2011service condition by causing a crash. The associated weaknesses are identified as CWE\u2011119 and CWE\u2011805.", "risk_and_exploitability": "The CVSS score is not published, but the EPSS estimate is below 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of widespread exploitation. An attacker would need to craft a management frame targeting the device and send it to the vulnerable driver. While the impact is primarily information disclosure or potential crash, the threat is limited by the requirement for interaction with the specific Wi\u2011Fi hardware and knowledge of the driver behavior."}}}}, "created": "2026-03-25T21:27:36.129955+00:00", "updated": "2026-03-26T12:16:33.739376+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}