CVE-2025-68380 in Linux
Summary
by MITRE • 12/24/2025
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix peer HE MCS assignment
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities [...]
Supported HE-MCS and NSS Set [...]
Rx and Tx MCS Maps 160 MHz [...]
Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/12/2026
The vulnerability CVE-2025-68380 affects the Linux kernel's ath11k wireless driver implementation, specifically within the WMI (Wireless Microcontroller Interface) peer association command processing functionality. This issue represents a critical data mapping error that fundamentally misconfigures the High Efficiency (HE) wireless communication parameters between the host system and the wireless firmware. The flaw occurs in the ath11k_wmi_send_peer_assoc_cmd() function where the transmit and receive MCS (Modulation and Coding Scheme) assignments are swapped, creating a fundamental mismatch in the wireless communication protocol stack. The vulnerability stems from a direct violation of the firmware's expected parameter definitions, where transmit parameters are incorrectly mapped to receive fields and vice versa. This misconfiguration directly impacts the IEEE 802.11ax (Wi-Fi 6) wireless communication standards implementation within the Linux kernel's wireless subsystem.
The technical implementation flaw manifests when the wireless firmware processes peer association requests containing HE capabilities information, specifically the HE-MCS and NSS Set configuration data. When a wireless access point advertises 0xffff (indicating not supported) for the 160 MHz transmit MCS map, the firmware encounters a critical crash scenario because this invalid value gets incorrectly assigned to the he_mcs->rx_mcs_set field. This represents a classic buffer overflow or invalid parameter handling condition that violates the firmware's expected data validation mechanisms. The error occurs during the wireless association process when the driver attempts to configure the peer's wireless capabilities, specifically the MCS mapping for 160 MHz channel widths. This type of parameter swapping error is classified as a CWE-783 design flaw that results in incorrect data flow between system components, directly impacting the wireless subsystem's stability and security posture.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable denial-of-service conditions that can disrupt wireless connectivity for devices using the affected ath11k driver. The crash occurs during normal wireless association procedures when connecting to access points that properly advertise their wireless capabilities, making this vulnerability exploitable in real-world scenarios without requiring special privileges or conditions. This issue affects hardware platforms including WCN6855 and QCN9274 chipsets, which are commonly found in enterprise and consumer wireless networking equipment. The vulnerability directly impacts the wireless communication reliability of Linux-based systems that depend on these wireless drivers for network connectivity, potentially causing intermittent or complete loss of wireless functionality. From an ATT&CK framework perspective, this vulnerability could be leveraged for network disruption and availability attacks, potentially affecting the wireless network infrastructure's operational continuity.
The mitigation strategy for this vulnerability requires implementing the corrected parameter assignment logic that properly maps transmit MCS values to the he_mcs->tx_mcs_set field and receive MCS values to the he_mcs->rx_mcs_set field as originally intended. This fix ensures that the wireless rate control mask, which is designed to limit the transmitter's own MCS capabilities, is properly configured through the correct field within the firmware's data structure. The solution involves updating the wireless driver code to correctly handle the HE capabilities advertisement from access points, specifically ensuring that when a peer advertises 0xffff for unsupported MCS configurations, the firmware processes this information correctly without crashing. The fix must also ensure that the rate control mask properly applies to the peer's receive MCS capabilities rather than transmit capabilities, maintaining the intended wireless communication protocol behavior. This vulnerability demonstrates the critical importance of proper parameter validation and data structure mapping in wireless driver implementations, particularly when handling complex multi-rate wireless communication standards such as IEEE 802.11ax. The resolution requires careful testing on the affected hardware platforms to ensure that the corrected implementation maintains compatibility with existing wireless network infrastructure while preventing the firmware crash condition that previously occurred.