Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Correct tid cleanup when tid setup fails Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(), the tid value is already incremented, even though the corresponding TID is not actually allocated. Proceed to ath12k_dp_rx_peer_tid_delete() starting from unallocated tid, which might leads to freeing unallocated TID and cause potential crash or out-of-bounds access. Hence, fix by correctly decrementing tid before cleanup to match only the successfully allocated TIDs. Also, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(), as decrementing the tid before cleanup in loop will take care of this. Compile tested only.
References (5)
Core 5
Core References
Scores
CVSS v3
7.1
EPSS
0.0002
EPSS Percentile
4.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (5)
linux/Kernel
6.13.0 - 6.15.11linux
linux/Kernel
6.16.0 - 6.16.2linux
linux/Kernel
6.3.0 - 6.6.103linux
linux/Kernel
6.7.0 - 6.12.43linux
linux/linux_kernel
6.3 - 6.6.103
Published
Sep 11, 2025
Tracked Since
Feb 18, 2026