{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23325", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.996Z", "datePublished": "2026-03-25T10:27:18.204Z", "dateUpdated": "2026-05-11T22:04:40.848Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:40.848Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt7996_mac_write_txwi_80211 in order to avoid a possible oob access."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt7996/mac.c"], "versions": [{"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "a6605f61913155e130bfd04d438c3ce1a572fb0f", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "ca1adc04fc2cb1d9f1842e429debe6a520d54966", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "f4cdf6b43689e901a341e7147fcfb25057c38eae", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "45661d22639c4b747ef1bd0822b8e76e421a808a", "status": "affected", "versionType": "git"}, {"version": "98686cd21624c75a043e96812beadddf4f6f48e5", "lessThan": "60862846308627e9e15546bb647a00de44deb27b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/mediatek/mt76/mt7996/mac.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a6605f61913155e130bfd04d438c3ce1a572fb0f"}, {"url": "https://git.kernel.org/stable/c/ca1adc04fc2cb1d9f1842e429debe6a520d54966"}, {"url": "https://git.kernel.org/stable/c/f4cdf6b43689e901a341e7147fcfb25057c38eae"}, {"url": "https://git.kernel.org/stable/c/45661d22639c4b747ef1bd0822b8e76e421a808a"}, {"url": "https://git.kernel.org/stable/c/60862846308627e9e15546bb647a00de44deb27b"}], "title": "wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1904C76C-974E-4DEA-9E2B-C26F3C5420AD", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt7996_mac_write_txwi_80211 in order to avoid a possible oob access."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mt76: mt7996: Correcci\u00f3n de posible acceso fuera de l\u00edmites en mt7996_mac_write_txwi_80211()\n\nVerificar la longitud del frame antes de acceder a los campos mgmt en mt7996_mac_write_txwi_80211 para evitar un posible acceso fuera de l\u00edmites."}], "id": "CVE-2026-23325", "lastModified": "2026-04-23T21:11:24.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:29.537", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/45661d22639c4b747ef1bd0822b8e76e421a808a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/60862846308627e9e15546bb647a00de44deb27b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a6605f61913155e130bfd04d438c3ce1a572fb0f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ca1adc04fc2cb1d9f1842e429debe6a520d54966"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f4cdf6b43689e901a341e7147fcfb25057c38eae"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()", "id": "2451213", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451213"}, "csaw": false, "cwe": "CWE-805", "details": ["A flaw was found in the Linux kernel's mt76 WiFi driver, specifically within the mt7996 component. This vulnerability, an out-of-bounds (OOB) access, occurs because the driver does not adequately check the length of incoming data frames before attempting to read or write to memory. A local attacker could exploit this weakness to trigger memory corruption, which may lead to a system crash (Denial of Service) or other unpredictable system behavior."], "name": "CVE-2026-23325", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23325\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23325\nhttps://lore.kernel.org/linux-cve-announce/2026032531-CVE-2026-23325-4e3b@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,a6605f61913155e130bfd04d438c3ce1a572fb0f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,ca1adc04fc2cb1d9f1842e429debe6a520d54966)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,f4cdf6b43689e901a341e7147fcfb25057c38eae)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,45661d22639c4b747ef1bd0822b8e76e421a808a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[98686cd21624c75a043e96812beadddf4f6f48e5,60862846308627e9e15546bb647a00de44deb27b)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc3,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T00:43:53.935870+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version containing the mt76 driver patch for MT7996.", "If an upgrade cannot be performed immediately, disable or block the wireless interface that uses the vulnerable mt76 driver for MT7996 to prevent reception of malicious frames.", "Restrict or filter WLAN management traffic on the network to reduce the risk that an attacker can inject crafted frames into the victim\u2019s interface.", "Monitor kernel logs for anomalous memory access errors or crashes that may indicate attempts to exploit the read."], "summary": {"action": "Immediate Patch", "impact": "Out\u2011of\u2011bounds read in kernel Wi\u2011Fi driver"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the mt76 driver for MT7996 and lack the length\u2011check patch are vulnerable. The affected versions are kernel 6.2 and the 7.0 release candidates 1 through 7, as defined by the CPE entries.", "description_and_impact": "A flaw in the Linux mt76 driver for the MT7996 wireless chipset allows the function mt7996_mac_write_txwi_80211() to read beyond the bounds of the incoming frame when the frame length is not validated. This out\u2011of\u2011bounds read (CWE\u2011125 and CWE\u2011805) can expose kernel memory contents or corrupt kernel state, potentially leading to system instability or unpredictable behavior.", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate severity, while the EPSS score of less than 1% and absence from CISA\u2019s KEV catalog suggest a low likelihood of widespread exploitation. The attack vector is inferred from the nature of the vulnerability: an attacker would need to transmit a specially crafted WLAN management frame to the target device, implying either local network proximity or the ability to inject frames into the victim\u2019s wireless interface. Given these constraints, the potential impact remains moderate with a low probability of exploitation."}}}}, "created": "2026-03-25T21:27:36.129955+00:00", "updated": "2026-04-29T00:45:26.171117+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}