CVE-2025-68765 Overview
A memory leak vulnerability has been identified in the Linux kernel's mt76 wireless driver, specifically within the mt7615 component. The flaw exists in the mt7615_mcu_wtbl_sta_add() function, where an allocated socket buffer (skb sskb) is not properly freed when a subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails. This results in a memory leak that can accumulate over time, potentially leading to resource exhaustion and system instability.
Critical Impact
Repeated exploitation of this memory leak can lead to kernel memory exhaustion, causing system degradation and potential denial of service conditions on systems using MediaTek MT7615 wireless chipsets.
Affected Products
- Linux kernel with mt76 mt7615 wireless driver
- Systems using MediaTek MT7615 wireless chipsets
- Embedded devices and routers with MT7615-based wireless connectivity
Discovery Timeline
- 2026-01-05 - CVE CVE-2025-68765 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-68765
Vulnerability Analysis
This memory leak vulnerability occurs in the MediaTek mt7615 wireless driver's MCU (Microcontroller Unit) communication layer. The mt7615_mcu_wtbl_sta_add() function is responsible for adding station entries to the WTBL (Wireless Table) through MCU requests.
During the station addition process, the function allocates a socket buffer (sskb) to construct the MCU request. However, the error handling path does not properly release this allocated buffer when subsequent operations fail. Specifically, if mt76_connac_mcu_alloc_wtbl_req() returns an error, the function returns immediately without calling dev_kfree_skb() on the allocated sskb, causing the memory to remain allocated but unreachable.
Over time, especially in environments with frequent wireless station associations and disassociations, this leak can accumulate significant kernel memory, potentially impacting system stability and performance.
Root Cause
The root cause is missing error handling code in the mt7615_mcu_wtbl_sta_add() function. When an skb is allocated and a subsequent operation fails, the allocated memory is not freed before the function returns an error code. This is a classic resource cleanup omission in kernel driver code where all allocated resources must be released in error paths.
Attack Vector
The vulnerability can be triggered through repeated wireless station association attempts that cause the mt76_connac_mcu_alloc_wtbl_req() function to fail. While the attack vector requires proximity to the wireless network, an attacker could potentially craft scenarios that repeatedly trigger the error condition, leading to gradual memory exhaustion on the target system.
The fix involves adding a call to dev_kfree_skb() on the sskb variable in the error handling path, ensuring proper cleanup when mt76_connac_mcu_alloc_wtbl_req() fails. This ensures the socket buffer is properly released regardless of whether the function succeeds or fails.
Detection Methods for CVE-2025-68765
Indicators of Compromise
- Gradual increase in kernel memory usage (slab allocations) over time
- System memory pressure warnings in kernel logs
- Degraded wireless performance on systems using MT7615 chipsets
- Potential OOM (Out of Memory) killer activity affecting system processes
Detection Strategies
- Monitor /proc/slabinfo for unusual growth in skbuff-related allocations
- Track kernel memory usage trends using tools like vmstat or sar
- Enable kernel memory debugging options such as KMEMLEAK to detect unreachable memory
- Review system logs for mt76/mt7615 driver error messages indicating allocation failures
Monitoring Recommendations
- Implement continuous monitoring of kernel memory consumption on affected systems
- Set up alerts for abnormal memory growth patterns in embedded devices
- Periodically restart wireless services on vulnerable systems as a temporary mitigation
- Deploy kernel tracing tools to monitor mt7615_mcu_wtbl_sta_add() invocations and error returns
How to Mitigate CVE-2025-68765
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the memory leak fix
- Monitor system memory usage on affected devices until patches can be applied
- Consider temporarily limiting wireless station association rates if under active attack
- Review system logs for signs of memory exhaustion related to the mt76 driver
Patch Information
The vulnerability has been fixed in the Linux kernel with commits available in the stable kernel tree. Multiple patches have been released targeting different kernel versions:
- Kernel Git Commit 278bfed4529a
- Kernel Git Commit 4d42aba0ee49
- Kernel Git Commit 53d154861267
- Kernel Git Commit fb905e69941b
The fix adds a call to dev_kfree_skb() in the error handling path to ensure the allocated socket buffer is properly freed when mt76_connac_mcu_alloc_wtbl_req() fails.
Workarounds
- Implement periodic wireless service restarts to clear accumulated leaked memory
- Reduce wireless client association frequency where possible
- Monitor and proactively reboot systems showing signs of memory pressure
- Consider using alternative wireless drivers if available for the hardware
# Monitor kernel memory usage for mt76 driver allocations
cat /proc/slabinfo | grep -i skb
# Check kernel logs for mt76 driver errors
dmesg | grep -i mt76
# Monitor overall memory usage
watch -n 5 'free -m && cat /proc/meminfo | grep -i slab'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
