Skip to main content

Linux Kernel mt7921 CVE-2026-53317

| EUVDEUVD-2026-39852 MEDIUM
2026-06-26 Linux GHSA-86cw-5chj-gj42
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector and low privilege required to control hostapd configuration; no confidentiality or integrity impact, only firmware DoS.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 20:43 vuln.today
CVSS changed
Jul 06, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:41 nvd
MEDIUM 5.5
CVE Published
Jun 26, 2026 - 19:41 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7921: Place upper limit on station AID

Any station configured with an AID over 20 causes a firmware crash. This situation occurred in our testing using an AP interface on 7922 hardware, with a modified hostapd, sourced from Mediatek's OpenWRT feeds.

In stock hostapd, station AIDs begin counting at 1, and this configuration is prevented with an upper limit on associated stations. However, the modified hostapd began allocation at 65, which caused the firmware to crash. This fix does not allow these AIDs to work, but will prevent the firmware crash.

This crash was only seen on IFTYPE_AP interfaces, and the fix does not appear to have an effect on IFTYPE_STATION behavior.

AnalysisAI

Firmware crash in the Linux kernel's mt76/mt7921 WiFi driver allows a local low-privileged user to cause denial of service by triggering station Association ID (AID) values above the firmware's undocumented limit of 20. Affected hardware includes Mediatek mt7922 chipsets operating in AP mode (IFTYPE_AP). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deploy modified hostapd on mt7922 AP host
Delivery
Configure hostapd AID allocation starting at 65
Exploit
Station associates with AP and receives AID > 20
Execution
Driver passes out-of-bounds AID to mt7921/mt7922 firmware
Impact
Firmware crashes, WiFi AP service disrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) Linux system with a Mediatek mt7921 or mt7922 WiFi chipset, (2) the interface configured in AP mode (IFTYPE_AP - client/station mode is explicitly unaffected), (3) hostapd configured to allocate station AIDs greater than 20 (specifically, the Mediatek OpenWRT-feeds-derived modified hostapd that begins allocation at AID 65 rather than 1). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low despite the High availability impact in the CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator running a Linux-based AP using mt7922 hardware deploys the Mediatek OpenWRT-derived hostapd, which allocates station AIDs starting at 65. When the 21st or any subsequent station associates with the AP, the driver passes an AID above 20 to the firmware, which crashes, taking down the WiFi interface. …
Remediation The primary fix is to upgrade to a patched kernel: Linux 6.12.91, 6.18.33, 7.0.10, or 7.1, which add an upper bound check on station AID values in the mt7921 driver before passing them to firmware. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-3216 CRITICAL POC
9.8 Jun 20

WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypa

CVE-2019-15027 CRITICAL POC
9.8 Aug 14

The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows atta

CVE-2016-6492 HIGH POC
7.8 Jan 12

The MT6573FDVT_SetRegHW function in camera_fdvt.c in the MediaTek driver for Linux allows local users to gain privileges

CVE-2021-37584 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37583 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37571 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37569 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37568 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37566 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37563 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37561 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37560 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

Share

CVE-2026-53317 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy