Description
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix 6 GHz scan construction If more than 255 colocated APs exist for the set of all APs found during 2.4/5 GHz scanning, then the 6 GHz scan construction will loop forever since the loop variable has type u8, which can never reach the number found when that's bigger than 255, and is stored in a u32 variable. Also move it into the loops to have a smaller scope. Using a u32 there is fine, we limit the number of APs in the scan list and each has a limit on the number of RNR entries due to the frame size. With a limit of 1000 scan results, a frame size upper bound of 4096 (really it's more like ~2300) and a TBTT entry size of at least 11, we get an upper bound for the number of ~372k, well in the bounds of a u32.
Product status
eae94cf82d7456b57fa9fd55c1edb8a726dcc19c (git) before 2ac15e5a8f42fed5d90ed9e1197600913678c50f
eae94cf82d7456b57fa9fd55c1edb8a726dcc19c (git) before cde8a7eb5c6762264ff0f4433358e0a0d250c875
eae94cf82d7456b57fa9fd55c1edb8a726dcc19c (git) before fc621e7a043de346c33bd7ae7e2e0c651d6152ef
eae94cf82d7456b57fa9fd55c1edb8a726dcc19c (git) before 2ccd5badadab2d586e91546bf5af3deda07fef1f
eae94cf82d7456b57fa9fd55c1edb8a726dcc19c (git) before 7245012f0f496162dd95d888ed2ceb5a35170f1a
5.11
Any version before 5.11
5.15.171 (semver)
6.1.116 (semver)
6.6.60 (semver)
6.11.7 (semver)
6.12 (original_commit_for_fix)
References
lists.debian.org/debian-lts-announce/2025/01/msg00001.html
git.kernel.org/...c/2ac15e5a8f42fed5d90ed9e1197600913678c50f
git.kernel.org/...c/cde8a7eb5c6762264ff0f4433358e0a0d250c875
git.kernel.org/...c/fc621e7a043de346c33bd7ae7e2e0c651d6152ef
git.kernel.org/...c/2ccd5badadab2d586e91546bf5af3deda07fef1f
git.kernel.org/...c/7245012f0f496162dd95d888ed2ceb5a35170f1a
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
