Skip to main content

Linux Kernel CVE-2026-46271

| EUVDEUVD-2026-34133 HIGH
2026-06-03 Linux GHSA-288x-m8hv-hv43
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 05, 2026 - 07:30 vuln.today
CVSS changed
Jun 05, 2026 - 07:22 NVD
7.8 (HIGH)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:50 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 03, 2026 - 15:50 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: do WoW offloads only on primary link

In case of multi-link connection, WCN7850 firmware crashes due to WoW offloads enabled on both primary and secondary links.

Change to do it only on primary link to fix it.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1

AnalysisAI

Denial of service in the Linux kernel ath12k Wi-Fi driver affects systems using Qualcomm WCN7850 chipsets with multi-link operation (MLO) connections. When Wake-on-WLAN (WoW) offloads are configured on both primary and secondary links during a multi-link connection, the WCN7850 firmware crashes, disrupting wireless connectivity. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, suggesting this is primarily a stability/reliability fix rather than a security priority.

Technical ContextAI

The vulnerability is in the ath12k driver, the mainline Linux kernel driver for Qualcomm Wi-Fi 7 chipsets including the WCN7850. The ath12k driver supports Multi-Link Operation (MLO), a Wi-Fi 7 (802.11be) feature allowing simultaneous transmission across multiple radio bands using one primary and one or more secondary links. Wake-on-WLAN (WoW) is a power-management feature that lets the system sleep while the Wi-Fi chip listens for magic packets or specific patterns to wake the host. The bug: the driver pushed WoW offload configuration to firmware on every link, but the WCN7850 firmware only expects this on the primary link and crashes when configured on a secondary link. No CWE was assigned, but the defect class is improper resource/state handling in a kernel driver leading to firmware fault - effectively a denial-of-service condition.

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.14, 6.19.4, or 7.0 (or any later stable kernel containing the backports). Distribution users should apply the next stable kernel update from their vendor that incorporates the ath12k fix; the upstream commits are 7379837c3f9efa576dc2d716ebfaa3a113b3112f, e62102ac9b773bdb08475aa9ca24dea61ae98708, and e042da1085d9f1686c58a4378d5840f52a36598e on git.kernel.org. If patching is not immediately possible, the practical workaround on WCN7850 hardware is to disable Wake-on-WLAN (e.g., via NetworkManager or iw/wpa_supplicant, depending on distribution) so WoW offloads are never pushed to firmware - the side effect is loss of wake-from-suspend over Wi-Fi. Alternatively, disabling Multi-Link Operation (forcing single-link association) avoids the crash but reduces Wi-Fi 7 throughput benefits.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-46271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy