Skip to main content

Linux Kernel ath12k EUVDEUVD-2026-34110

| CVE-2026-46248 MEDIUM
2026-06-03 Linux GHSA-ccjm-3xx6-g84m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 20:38 vuln.today
CVSS changed
Jun 09, 2026 - 20:37 NVD
5.5 (MEDIUM)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:49 nvd
MEDIUM 5.5
CVE Published
Jun 03, 2026 - 15:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: clear stale link mapping of ahvif->links_map

When an arvif is initialized in non-AP STA mode but MLO connection preparation fails before the arvif is created (arvif->is_created remains false), the error path attempts to delete all links. However, link deletion only executes when arvif->is_created is true. As a result, ahvif retains a stale entry of arvif that is initialized but not created.

When a new arvif is initialized with the same link id, this stale mapping triggers the following WARN_ON.

WARNING: drivers/net/wireless/ath/ath12k/mac.c:4271 at ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k], CPU#3: wpa_supplicant/275

Call trace: ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k] (P) drv_change_vif_links+0xbc/0x1a4 [mac80211] ieee80211_vif_update_links+0x54c/0x6a0 [mac80211] ieee80211_vif_set_links+0x40/0x70 [mac80211] ieee80211_prep_connection+0x84/0x450 [mac80211] ieee80211_mgd_auth+0x200/0x480 [mac80211] ieee80211_auth+0x14/0x20 [mac80211] cfg80211_mlme_auth+0x90/0xf0 [cfg80211] nl80211_authenticate+0x32c/0x380 [cfg80211] genl_family_rcv_msg_doit+0xc8/0x134

Fix this issue by unassigning the link vif and clearing ahvif->links_map if arvif is only initialized but not created.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1

AnalysisAI

Stale link mapping in the ath12k Wi-Fi 7 driver causes a kernel WARN_ON condition when MLO (Multi-Link Operation) connection preparation fails mid-initialization, leaving ahvif->links_map in an inconsistent state. Systems running the Linux kernel with Qualcomm ath12k hardware (e.g., QCN9274) are affected across stable branches through 6.18.13, 6.19.3, and pre-7.0 releases. A local low-privileged user capable of triggering repeated MLO authentication failures can induce kernel warning conditions, resulting in high availability impact with no public exploit identified at time of analysis.

Technical ContextAI

The ath12k driver implements support for Wi-Fi 7 (802.11be) hardware, including Qualcomm's QCN9274 PCIe chipset. The vulnerability lies in MLO (Multi-Link Operation) link lifecycle management: when an arvif (AR Virtual InterFace) is initialized in non-AP STA mode but the MLO connection preparation fails before arvif->is_created is set to true, the error path's link deletion logic is gated on is_created, so it silently skips cleanup. This leaves ahvif->links_map holding a stale arvif pointer for that link ID. On the next initialization attempt reusing the same link ID, the mac80211 subsystem's drv_change_vif_links call into ath12k_mac_op_change_vif_links encounters the inconsistent mapping and triggers WARN_ON at mac.c:4271. The root cause is effectively a missing cleanup in an error path - analogous to CWE-459 (Incomplete Cleanup) - though no CWE has been formally assigned. The call chain runs through nl80211 → cfg80211 → mac80211 → ath12k, meaning the trigger is accessible via standard wireless management interfaces (wpa_supplicant interactions with netlink).

RemediationAI

Upgrade to a patched Linux kernel: 6.18.14, 6.19.4, or 7.0, as appropriate for the running stable branch. The upstream fix commits are available at https://git.kernel.org/stable/c/2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9 (6.18.x), https://git.kernel.org/stable/c/da289440f04c93048d82d293b180f1cacdfee2d9 (6.19.x), and https://git.kernel.org/stable/c/acd8319e834be6790e449701cb6df0f636801977 (mainline/7.0). Distributions carrying the ath12k driver on affected kernel versions should apply the appropriate backport. If immediate patching is not feasible on systems using ath12k hardware, a compensating control is to restrict access to the wireless management interface by limiting which users or processes can issue nl80211/netlink commands (e.g., via network namespace isolation or capability restrictions on CAP_NET_ADMIN). Note that this mitigation limits the attack surface but does not eliminate the underlying bug. Disabling MLO operation via wpa_supplicant configuration (removing multi-link BSS entries) also removes the specific trigger condition, at the cost of losing Wi-Fi 7 MLO performance benefits.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-34110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy