CVE-2025-68380
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix peer HE MCS assignment
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities
[...]
Supported HE-MCS and NSS Set
[...]
Rx and Tx MCS Maps 160 MHz
[...]
Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 61fe43e7216df6e9a912d831aafc7142fa20f280 < 92791290e4f6a1de25d35af792ab8918a70737f6 | affected |
| Linux | Linux | 61fe43e7216df6e9a912d831aafc7142fa20f280 < 4304bd7a334e981f189b9973056a58f84cc2b482 | affected |
| Linux | Linux | 61fe43e7216df6e9a912d831aafc7142fa20f280 < 097c870b91817779e5a312c6539099a884b1fe2b | affected |
| Linux | Linux | 61fe43e7216df6e9a912d831aafc7142fa20f280 < 381096a417b7019896e93e86f4c585c592bf98e2 | affected |
| Linux | Linux | 61fe43e7216df6e9a912d831aafc7142fa20f280 < 6b1a0da75932353f66e710976ca85a7131f647ff | affected |
| Linux | Linux | 61fe43e7216df6e9a912d831aafc7142fa20f280 < 4a013ca2d490c73c40588d62712ffaa432046a04 | affected |
| Linux | Linux | 5.16 | affected |
| Linux | Linux | 0 < 5.16 | unaffected |
| Linux | Linux | 6.1.160 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.120 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.63 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.13 <= 6.17.* | unaffected |
| Linux | Linux | 6.18.2 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/92791290e4f6a1de25d35af792ab8918a70737f6
- https://git.kernel.org/stable/c/4304bd7a334e981f189b9973056a58f84cc2b482
- https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b
- https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2
- https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff
- https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.