CVE-2026-46136
A flaw in the Linux kernel's MT7921 Wi-Fi driver can cause a buffer length counter to drop below zero under specific conditions when the driver processes country power settings from the Carrier List Configuration (CLC). This underflow triggers either an excessive loop that nearly hangs the system or applies an invalid power setting, preventing the driver from initializing properly. An attacker with local access could exploit this to degrade Wi-Fi functionality or trigger a denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-787
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-24
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix a potential clc buffer length underflow The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC. This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46136 is a buffer length underflow vulnerability in the Linux kernel's mt76 driver for MediaTek MT7921 Wi-Fi chipsets. The vulnerability exists in the country power setting retrieval logic within the CLC (Carrier List Configuration) handling code. The buf_len variable, which bounds iteration when parsing power table entries, can underflow due to structural changes in the CLC power table data. This underflow bypasses intended loop termination checks, leading to either an indefinite loop consuming CPU resources or the application of out-of-bounds power settings that cause driver initialization to fail. The root cause is insufficient validation of the buffer size against consumed data before decrementing the length counter.
Business impact
Systems running affected Linux kernels with MT7921 Wi-Fi hardware will experience driver initialization failures or intermittent Wi-Fi outages triggered by malformed or adversarial CLC data. For endpoint devices, this prevents network connectivity; for servers or edge appliances relying on Wi-Fi, this creates availability risk. The denial-of-service vector requires local privilege or ability to influence firmware/configuration data, limiting remote exploitability but increasing insider risk in multi-tenant or bring-your-own-device environments. Organizations with MT7921-based systems should prioritize patching to restore stable wireless operations.
Affected systems
The vulnerability affects Linux kernel versions running on systems with MediaTek MT7921 Wi-Fi chipsets. This includes consumer laptops, tablets, and edge devices that use MT7921 for Wi-Fi connectivity. Verify your kernel version and confirm MT7921 presence via lspci or lsusb; affected systems will report the mt76 or mt7921 driver. The vulnerability does not affect systems using alternative Wi-Fi chipsets or those running Windows, macOS, or other operating systems.
Exploitability
Exploitability is moderate and requires local access. An attacker must either hold local unprivileged user privileges or control Wi-Fi configuration data (CLC tables) to trigger the underflow. Since CLC data is typically loaded from firmware or regulatory databases, exploitation paths include: (1) a privileged local user crafting malformed CLC data, (2) supply-chain compromise of firmware, or (3) a guest or unprivileged account triggering the flaw via configuration APIs if the driver reloads CLC on certain events. Remote exploitation is not credible under normal conditions. This is not listed on CISA's KEV catalog, indicating limited evidence of active, weaponized attacks in the wild as of the publication date.
Remediation
Apply a kernel update that includes the fix for mt76 MT7921 CLC buffer handling. The patch adds proper bounds checking before each buffer length decrement and validates CLC table structure before processing power entries. Verify the patch against your Linux distribution's advisory; common vendors (Ubuntu, Red Hat, Debian) typically backport this to stable and LTS kernel branches. After patching, recompile the kernel or install the distribution's prebuilt image, then reboot to activate the fix.
Patch guidance
Obtain the patched kernel from your distribution's security channel. For Ubuntu: check security.ubuntu.com for linux-image packages with the mt76 fix. For Red Hat/CentOS: consult security.redhat.com and use 'yum update kernel' or 'dnf update kernel'. For Debian: update from the security suite. Verify patch application by comparing your kernel version against the advisory timeline; the fix was merged upstream around the 2026-05-28 publication date. Test in a non-production environment first, especially if custom kernel configurations are in use.
Detection guidance
Monitor system logs for mt7921 driver initialization failures or repeated 'clc buffer underflow' warnings. In dmesg or journalctl, look for messages mentioning 'mt7921', 'CLC', or 'power setting' errors during driver load. Devices with the vulnerability may show Wi-Fi as present but non-functional. Use 'ethtool -d' or vendor diagnostic tools to inspect driver state. On vulnerable systems, triggering a reload of the regulatory domain (via 'iw reg set') may reproduce the failure. Endpoint detection tools should flag systems where mt76 driver errors correlate with Wi-Fi outages.
Why prioritize this
This vulnerability scores HIGH (CVSS 7.8) and warrants prompt patching because it directly impacts system availability and can be triggered by local users with minimal privilege. While not yet in active exploit campaigns (KEV status: false), the combination of ease of local triggering, impact on critical wireless connectivity, and presence in mainstream Linux distributions makes it a medium-to-high priority for organizations with MT7921 deployments. Prioritize over purely remote vulnerabilities but behind any actively exploited KEV items.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (AV:L) requiring user-level privileges (PR:L), no user interaction needed, uniform scope, and high impact across confidentiality, integrity, and availability (C:H, I:H, A:H). The 'A:H' impact rating is justified because the underflow causes denial of service via driver failure. The local requirement and privilege threshold prevent a perfect 10.0 but do not diminish the practical risk for systems where local users are not fully trusted or where configuration tampering is feasible.
Frequently asked questions
Does this affect my Linux system?
Only if it includes a MediaTek MT7921 Wi-Fi chipset and runs an unpatched Linux kernel from approximately 2.6.39 through the fix date (late May 2026). Check with 'lspci | grep -i mt7921' or 'lsusb | grep -i mt7921'. If neither returns results, you are not affected.
Can this be exploited remotely?
No. The vulnerability requires local access and the ability to influence Wi-Fi driver configuration or CLC data. It cannot be triggered by a remote attacker sending network packets.
What is CLC, and why does it matter?
CLC (Carrier List Configuration) is a regulatory database that tells the Wi-Fi driver which power levels and channels are permitted in each country. The driver parses this data during initialization; the bug occurs during that parsing phase when the buffer size counter underflows, causing an infinite loop or invalid power settings.
Do I need to reboot after patching?
Yes, you must reboot to load the patched kernel. Simply installing the package without reboot leaves the vulnerable kernel in memory.
This analysis is provided for informational purposes and does not constitute legal or professional security advice. CVSS scores, vendor details, and patch information are derived from official sources current as of the publication date. Organizations should verify patch availability and compatibility with their specific systems before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this information; always consult vendor advisories and conduct your own risk assessment. Proof-of-concept code or weaponized exploits are not provided, and readers should not attempt to reproduce this vulnerability in production environments without explicit authorization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10883HIGH
CVE-2026-10883: Type Confusion in Chrome ANGLE Graphics Library | Critical Heap Corruption
- CVE-2026-10897HIGH
CVE-2026-10897: Critical Chrome GPU Sandbox Escape Vulnerability
- CVE-2026-10907HIGH
CVE-2026-10907: Chrome ANGLE Out-of-Bounds Write – Remote Code Execution Risk
- CVE-2026-10941HIGH
CVE-2026-10941: Skia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-46123HIGH
CVE-2026-46123: Linux Kernel Virtio Bluetooth Memory Disclosure Vulnerability
- CVE-2026-46145HIGH
CVE-2026-46145: Linux Kernel RDMA/mana Buffer Overflow – Local Privilege Escalation
- CVE-2021-4478HIGH
CVE-2021-4478: Dräger CC-Vision Buffer Overflow in .gdt File Parsing
- CVE-2025-59605HIGH
CVE-2025-59605: Qualcomm Memory Corruption in Device Identifier Processing