CVE-2026-46271: Linux Kernel WoW Offload Firmware Crash (WCN7850 Multi-Link WiFi)
A vulnerability in the Linux kernel's WiFi driver for Qualcomm's WCN7850 chipset causes the firmware to crash when Wake-on-LAN (WoW) offload features are enabled on multiple network links simultaneously. The issue occurs specifically in multi-link WiFi connections—a feature that allows devices to maintain concurrent connections across different frequency bands. The vulnerability is triggered because the driver was incorrectly applying WoW offload settings to both primary and secondary links, overwhelming the firmware. The fix involves restricting these offload operations to the primary link only, preventing the crash.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: do WoW offloads only on primary link In case of multi-link connection, WCN7850 firmware crashes due to WoW offloads enabled on both primary and secondary links. Change to do it only on primary link to fix it. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46271 is a kernel-level bug in the ath12k WiFi driver affecting WCN7850 hardware. In multi-link mode (MLO—Multi-Link Operation), the driver enables Wake-on-LAN offload functionality on both the primary and secondary links. The WCN7850 firmware cannot properly handle WoW offloads across multiple simultaneous links and crashes. The resolution restricts offload configuration to the primary link, aligning with the chipset's design constraints. This affects the qca6490 and WCN7850 wireless adapters running affected kernel versions with the ath12k driver compiled in.
Business impact
For organizations deploying Linux systems with Qualcomm WiFi adapters in multi-link configurations—particularly mobile workstations, laptops, and edge devices relying on WiFi resilience—this vulnerability creates reliability issues. Firmware crashes on WoW transitions degrade sleep-mode battery efficiency and interrupt connectivity expectations. Data center and enterprise environments using these adapters for failover or redundancy scenarios may experience unexpected downtime during suspend/resume cycles. The crash is not exploitable for privilege escalation or data theft, but its impact on system stability and power management affects operational continuity.
Affected systems
Linux systems with the ath12k WiFi driver and WCN7850 (or related Qualcomm) hardware adapters running vulnerable kernel versions. This includes many modern laptops, mobile workstations, and Linux-based edge devices utilizing multi-link WiFi. Desktop systems with only single-link WiFi configurations are not affected. The vulnerability manifests only when multi-link mode is active and the system attempts to enter a sleep state with WoW offloads enabled.
Exploitability
This vulnerability is not directly exploitable for remote code execution or privilege escalation. It requires local access to a system running the vulnerable kernel with the affected driver, multi-link WiFi active, and the system transitioning to suspend/resume with WoW offloads enabled. The impact is denial of service via firmware crash rather than unauthorized access. No active exploitation attempts are known, and the low bar to triggering the crash (standard power management on multi-link systems) means it would likely be discovered through normal use rather than targeted attack.
Remediation
Apply kernel updates containing the fix that restricts WoW offload operations to the primary link only. Verify the patch version from your Linux distribution's security advisory; upstream fixes are expected in stable kernel releases following the 2026-06-17 modification date. For systems unable to patch immediately, a workaround is to disable multi-link WiFi mode if the adapter supports it, though this sacrifices performance and resilience benefits. Ensure firmware is up-to-date (tested on WCN7850 hw2.0 with version WLAN.HMT.1.1.c5-00284 or later).
Patch guidance
Consult your Linux distribution's security advisories for specific kernel version numbers containing this fix. Ubuntu, Debian, Fedora, and other maintainers release backported patches to stable kernels. Verify patched versions against vendor advisories before deployment. The upstream fix is relatively low-risk—it removes incorrect offload configuration rather than introducing new logic—and should be prioritized for systems in production with WCN7850 adapters. Test patches in staging environments that include multi-link WiFi suspend/resume cycles.
Detection guidance
Monitor kernel logs (dmesg, journalctl) for ath12k driver errors, firmware crashes, or watchdog timeouts coinciding with system suspend events on multi-link WiFi systems. Firmware crash signatures may include 'WoW' or 'offload' references. Tools like `iw link` can confirm multi-link status; correlate crashes with multi-link active periods. Endpoint detection and response (EDR) solutions should flag unexpected device firmware restarts during normal power transitions. No special tooling is required; standard system logging captures the failure.
Why prioritize this
Although not in active exploitation and limited to local triggering, the HIGH CVSS score (7.8) reflects the full impact on affected systems: local privilege context, no user interaction required, and high confidentiality, integrity, and availability impact. The practical effect is more limited (DoS via crash), but the severity reflects the broader criteria. Prioritize patching for mobile and remote workforce devices where WiFi is primary and sleep cycles are frequent. Servers and stationary endpoints can be patched on standard schedules.
Risk score, explained
CVSS 3.1 score of 7.8 (HIGH) is driven by Attack Vector (Local), Access Complexity (Low), Privileges Required (Low), User Interaction (None), and impact across Confidentiality, Integrity, and Availability (all High). While the practical manifestation is firmware DoS rather than privilege escalation, the scoring reflects that a local attacker or compromised process could trigger the crash and cause system instability or data loss if suspend/resume operations are critical to the threat model. The score appropriately escalates priority without overstating the actual attack surface.
Frequently asked questions
Does this vulnerability allow remote code execution or privilege escalation?
No. This is a local denial-of-service vulnerability via firmware crash. It requires local access to the system and only manifests during suspend/resume operations with multi-link WiFi active. No remote or privilege escalation mechanisms are present.
I have a WCN7850 adapter but use single-link WiFi. Am I affected?
No. The vulnerability only occurs in multi-link mode (MLO). If your system is using a single link, WoW offloads function correctly on that single link. Multi-link mode must be active for the firmware crash to occur.
What should I do if I cannot patch immediately?
Disable multi-link WiFi mode in your driver or BIOS settings if available, though this reduces performance and resilience. Avoid putting the system into suspend if feasible, or test whether your distribution's kernel version includes the fix before updating. Monitor kernel logs for crashes and prioritize patching in your maintenance window.
How do I verify if my system is vulnerable?
Check your kernel version and confirm the ath12k driver is compiled in (lsmod | grep ath12k). Verify multi-link WiFi is supported and enabled (iw link). Consult your Linux distribution's security advisory or the upstream kernel changelog to confirm whether your version includes the fix dated 2026-06-17 or later.
This analysis is based on CVE-2026-46271 vulnerability data current as of the published date. Patch availability, version numbers, and distribution timelines vary by Linux vendor; verify specific remediation steps against your distribution's security advisories. SEC.co does not provide legal or contractual assurance; use this information to inform your own risk assessments and patch management processes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment