Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Supported HE-MCS and NSS Set [...] Rx and Tx MCS Maps 160 MHz [...] Tx HE-MCS Map 160 MHz: 0xffff Swap the assignment to fix this issue. As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Product status
61fe43e7216df6e9a912d831aafc7142fa20f280 (git) before 097c870b91817779e5a312c6539099a884b1fe2b
61fe43e7216df6e9a912d831aafc7142fa20f280 (git) before 381096a417b7019896e93e86f4c585c592bf98e2
61fe43e7216df6e9a912d831aafc7142fa20f280 (git) before 6b1a0da75932353f66e710976ca85a7131f647ff
61fe43e7216df6e9a912d831aafc7142fa20f280 (git) before 4a013ca2d490c73c40588d62712ffaa432046a04
5.16
Any version before 5.16
6.12.63 (semver)
6.17.13 (semver)
6.18.2 (semver)
6.19-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/097c870b91817779e5a312c6539099a884b1fe2b
git.kernel.org/...c/381096a417b7019896e93e86f4c585c592bf98e2
git.kernel.org/...c/6b1a0da75932353f66e710976ca85a7131f647ff
git.kernel.org/...c/4a013ca2d490c73c40588d62712ffaa432046a04
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
