CVE-2026-46248: Linux ath12k WiFi Driver Link Mapping Denial of Service
This vulnerability affects the Linux kernel's WiFi driver for Qualcomm Atheros ath12k chipsets. When a WiFi interface fails during setup for multi-link operation (MLO), the driver can retain stale data about link mappings. If a new connection attempt reuses the same link ID, the driver triggers a warning and may experience instability. The issue stems from incomplete cleanup during failed initialization—specifically, link deletion code only runs if the interface was fully created, leaving orphaned references behind.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: clear stale link mapping of ahvif->links_map When an arvif is initialized in non-AP STA mode but MLO connection preparation fails before the arvif is created (arvif->is_created remains false), the error path attempts to delete all links. However, link deletion only executes when arvif->is_created is true. As a result, ahvif retains a stale entry of arvif that is initialized but not created. When a new arvif is initialized with the same link id, this stale mapping triggers the following WARN_ON. WARNING: drivers/net/wireless/ath/ath12k/mac.c:4271 at ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k], CPU#3: wpa_supplicant/275 Call trace: ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k] (P) drv_change_vif_links+0xbc/0x1a4 [mac80211] ieee80211_vif_update_links+0x54c/0x6a0 [mac80211] ieee80211_vif_set_links+0x40/0x70 [mac80211] ieee80211_prep_connection+0x84/0x450 [mac80211] ieee80211_mgd_auth+0x200/0x480 [mac80211] ieee80211_auth+0x14/0x20 [mac80211] cfg80211_mlme_auth+0x90/0xf0 [cfg80211] nl80211_authenticate+0x32c/0x380 [cfg80211] genl_family_rcv_msg_doit+0xc8/0x134 Fix this issue by unassigning the link vif and clearing ahvif->links_map if arvif is only initialized but not created. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46248 is a logic error in the ath12k WiFi driver's multi-link operation (MLO) initialization path. When an arvif (Atheros virtual interface) is initialized in non-AP STA mode but MLO connection preparation fails before arvif->is_created is set to true, the error handling path skips link deletion. This occurs because link deletion is guarded by the is_created flag. Consequently, ahvif->links_map retains a stale entry pointing to an initialized-but-not-created arvif. Upon subsequent connection attempts using the same link ID, a new arvif initialization collides with the stale mapping, triggering a WARN_ON at ath12k_mac_op_change_vif_links(). The fix clears the ahvif->links_map entry and unassigns the link vif when arvif remains uninitialized after failure, ensuring the mapping state stays consistent.
Business impact
Systems running affected ath12k-based WiFi hardware may experience WiFi instability or disconnections during multi-link operation, particularly in environments where connections fail and retry frequently (e.g., mobile devices, roaming scenarios). While not a direct security breach, the resulting denial-of-service condition impacts network availability and user experience. Organizations relying on Linux systems with ath12k chipsets—including some enterprise laptops and edge devices—should treat this as a reliability issue affecting wireless connectivity.
Affected systems
The Linux kernel ath12k WiFi driver is affected. This driver supports Qualcomm Atheros ath12k wireless chipsets, including the QCN9274 hw2.0 (the tested platform noted in the advisory). Any Linux system or device using ath12k for WiFi connectivity is potentially impacted, including enterprise Linux distributions, embedded systems, and mobile devices running Linux-based OSes. Exact kernel version ranges are not specified in the advisory; administrators should consult the Linux kernel security tracker and their distributor for affected versions.
Exploitability
Exploitation requires local access (AV:L) and user-level privileges (PR:L). An unprivileged local user can trigger the vulnerability by initiating WiFi connection attempts that fail during MLO setup, causing repeated link ID reuse. No special tools or network access are needed—standard WiFi connection mechanisms are sufficient. The vulnerability is not remotely exploitable and does not require elevated privileges, though the impact is primarily denial-of-service (WiFi unavailability) rather than data exfiltration or privilege escalation.
Remediation
Apply the Linux kernel patch that clears stale link mappings in the ath12k driver's error path. The fix ensures ahvif->links_map is unassigned when an arvif fails to initialize. Administrators should update their Linux kernel to a version that includes this fix; consult your distribution's security advisories and the Linux kernel stable release notes for the specific version containing the patch. No workaround exists; kernel update is the only mitigation.
Patch guidance
Patch availability depends on your Linux distribution and kernel version. Check your distributor's security advisory for CVE-2026-46248 to determine the patched kernel version. For users tracking mainline Linux, verify that the fix commit resolving the ath12k link mapping issue is included in your kernel version (typically in stable releases following the fix merge). Test WiFi connectivity, particularly multi-link operation scenarios, after patching to confirm proper operation. Rollback is not recommended except in cases of regression; this is a defensive fix addressing a rare error path.
Detection guidance
Monitor kernel logs for WARN_ON messages originating from ath12k_mac_op_change_vif_links() in drivers/net/wireless/ath/ath12k/mac.c, particularly at line 4271. Unexpected WiFi disconnections or repeated connection failures during MLO setup may indicate the stale link mapping issue. Use dmesg or journalctl to inspect system logs on affected systems. On production systems, configure log aggregation to flag these warnings for investigation. Note that the warning itself is harmless once the patch is applied; it was the symptom of underlying state corruption.
Why prioritize this
While the CVSS score of 5.5 (MEDIUM) reflects the local attack surface and denial-of-service nature, this should be prioritized based on your deployment profile. Organizations with heavy ath12k chipset usage in Linux environments—particularly those supporting mobile or roaming deployments—should patch promptly. The reliability impact on WiFi connectivity justifies near-term scheduling. Conversely, data-center-focused environments with primarily Ethernet infrastructure may defer patching to the next routine maintenance window.
Risk score, explained
The CVSS v3.1 score of 5.5 (MEDIUM) reflects an attack vector limited to local access (AV:L), low attack complexity (AC:L), and user-level privileges (PR:L), with no user interaction required (UI:N). The impact is confined to availability (A:H), with no confidentiality or integrity damage (C:N, I:N). The scope is unchanged (S:U). The score appropriately captures a local reliability issue but understates the practical impact for WiFi-dependent workflows; prioritization should factor in organizational reliance on wireless connectivity.
Frequently asked questions
Does this affect my Linux system if I don't use WiFi or don't have an ath12k chipset?
No. The vulnerability is specific to the ath12k WiFi driver. Systems without ath12k hardware or those not using WiFi are not affected. Check your device or system specifications; common Qualcomm Atheros WiFi chips include model numbers starting with QCN or similar designations.
Can this vulnerability be exploited remotely over WiFi?
No. The attack vector is local-only (AV:L in the CVSS vector). An attacker would need legitimate local access to the system to trigger WiFi connection attempts. Remote WiFi-based attacks are not possible.
What happens if I don't patch this vulnerability?
Your WiFi may become unstable or disconnect unexpectedly, especially when multi-link operation is in use or during repeated connection failures. The system will not be compromised or lose data, but wireless connectivity may become unreliable. The impact severity depends on how critical WiFi is to your workflow.
Are there any risks or side effects to applying the patch?
The patch is defensive and resolves incorrect behavior; it corrects a logic error in the error path. No adverse effects are anticipated. Standard testing of WiFi connectivity after patching is recommended to confirm proper operation, but widespread issues are unlikely.
This analysis is based on published CVE data and the vendor advisory. Specific kernel versions affected and patch release dates should be verified against your Linux distribution's security advisories and the Linux Kernel Security Tracker. No exploit code or weaponized proof-of-concept is provided. Organizations should validate patch compatibility with their specific kernel versions and distributions before deployment. This vulnerability does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure