CVE-2025-68380
Unknown Unknown - Not Provided
Heap Corruption in Linux ath11k Driver Due to MCS Misassignment

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Supported HE-MCS and NSS Set [...] Rx and Tx MCS Maps 160 MHz [...] Tx HE-MCS Map 160 MHz: 0xffff Swap the assignment to fix this issue. As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-06
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68380
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
qualcomm wcn6855 *
qualcomm qcn9274 *
linux linux_kernel *
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is in the Linux kernel's ath11k wireless driver. It involves an incorrect assignment of transmit and receive Modulation and Coding Scheme (MCS) values when communicating with firmware. Specifically, the peer's transmit MCS is mistakenly sent as the receive MCS and vice versa, which contradicts the firmware's expectations. When connecting to a misbehaving access point that advertises an unsupported 160 MHz transmit MCS map value (0xffff), the firmware crashes because this invalid value is assigned incorrectly. The fix involves swapping the assignments to align with the firmware's definitions.


How can this vulnerability impact me? :

This vulnerability can cause the firmware of the wireless device to crash when connecting to certain misbehaving access points that advertise unsupported MCS values. This could lead to loss of wireless connectivity or instability in the device's wireless functionality.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart