Security Vulnerability Report
中文
CVE-2026-23315 CVSS 7.1 HIGH

CVE-2026-23315

Published: 2026-03-25 11:16:28
Last Modified: 2026-04-23 21:06:57
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag]

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (修复提交 0fb3b94a9431a3800717e5c3b6fa2e1045a15029 之前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <string.h> // Simulated PoC for the OOB access vulnerability in mt76 driver // This demonstrates the logic flaw: accessing struct fields without length check. struct ieee80211_mgmt { unsigned short frame_control; unsigned short duration; unsigned char da[6]; unsigned char sa[6]; unsigned char bssid[6]; unsigned short seq_ctrl; unsigned char variable[0]; // Flexible array member representing payload } __attribute__((packed)); // Vulnerable function simulation void simulate_vulnerable_write_txwi(unsigned char *data, int len) { struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)data; printf("Processing frame of length: %d\n", len); // The vulnerability occurs here. The code assumes the frame is long enough // to contain action details without checking 'len' first. // In the actual vuln, it accesses mgmt->u.action.u.addba_req.capab if (len < sizeof(struct ieee80211_mgmt)) { printf("Frame too short for basic header.\n"); return; } // VULNERABLE ACCESS: Accessing offset beyond provided length // This simulates accessing mgmt->u.action.u.addba_req.capab unsigned short *capab_ptr = (unsigned short *)(mgmt->variable + 10); printf("Attempting to read capability field at offset...\n"); // This read is Out-Of-Bounds if len is too small unsigned short capab = *capab_ptr; printf("Read value: 0x%x (This could be garbage or crash)\n", capab); } int main() { // Malicious packet: Header exists, but action frame payload is truncated unsigned char malicious_packet[64]; memset(malicious_packet, 0x90, 64); // Set a length that passes basic checks but fails deep structure access int packet_len = 30; printf("Simulating CVE-2026-23315 Trigger...\n"); simulate_vulnerable_write_txwi(malicious_packet, packet_len); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23315", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:27.897", "lastModified": "2026-04-23T21:06:57.390", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()\n\nCheck frame length before accessing the mgmt fields in\nmt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob\naccess.\n\n[fix check to also cover mgmt->u.action.u.addba_req.capab,\ncorrect Fixes tag]"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mt76: Corregir posible acceso fuera de límites en mt76_connac2_mac_write_txwi_80211()\n\nVerificar la longitud del frame antes de acceder a los campos mgmt en\nmt76_connac2_mac_write_txwi_80211 para evitar un posible acceso fuera de límites.\n\n[corregir la verificación para que también cubra mgmt-&gt;u.action.u.addba_req.capab, corregir la etiqueta Fixes]"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.1", "versionEndExcluding": "6.1.167", "matchCriteriaId": "F619BEB4-F797-46AA-AB30-F861B4B6CF70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.10:-:*:*:*:*:*:*", "matchCriteriaId": "B29EBB93-107F-4ED6-8DE3-C2732BC659C3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0fb3b94a9431a3800717e5c3b6fa2e1045a15029", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4e10a730d1b511ff49723371ed6d694dd1b2c785", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7ae7b093b7dba9548a3bc4766b9364b97db4732d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7b692dff8df0ba5feb8df00f27d906d6eb1fe627", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/84419556359bc96d3fe1623d47a64c86542566cc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9612d91f617231e03c49cb9b0c02f975a3b4f51f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.