CVE-2026-23130 Overview
A deadlock vulnerability has been discovered in the Linux kernel's ath12k Wi-Fi driver that occurs during the flushing of management frames. The vulnerability arises from a race condition between the management frame transmission work item and the ath12k_mac_op_flush() function when attempting to flush pending frames.
The issue was introduced when a previous commit converted the management transmission work item into a wiphy work. Since wiphy work can only run under wiphy lock protection, a deadlock condition occurs when the flush process holds the wiphy lock while waiting for transmission completion, preventing the transmission work item from executing.
Critical Impact
This deadlock condition can cause Wi-Fi authentication and association failures, resulting in network connectivity issues for systems using Qualcomm Atheros ath12k-compatible wireless adapters.
Affected Products
- Linux kernel with ath12k Wi-Fi driver
- Systems using Qualcomm WCN7850 wireless adapters
- Linux distributions with ath12k PCI wireless support
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23130 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23130
Vulnerability Analysis
The deadlock vulnerability occurs in the ath12k Wi-Fi driver's management frame handling code. When a management frame is queued for transmission and ath12k_mac_op_flush() is subsequently called to flush pending frames (particularly when the vif parameter is NULL), the process acquires the wiphy lock and waits for transmission completion.
However, the transmission work item, which was converted to a wiphy work in a previous commit, requires the same wiphy lock to execute. This creates a circular dependency where the flush operation holds the lock while waiting for transmission, but transmission cannot proceed because it cannot acquire the lock held by the flush operation.
From a user perspective, this manifests as authentication failures with error messages such as:
ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1
Users may observe repeated authentication attempts followed by association aborts with reason code 3 (DEAUTH_LEAVING).
Root Cause
The root cause is improper lock ordering introduced when the management transmission work item was converted to a wiphy work. The existing wiphy_work_flush() call in ath12k_mac_op_flush() was positioned to only handle cases where the vif parameter was non-NULL, leaving the NULL vif case unprotected against the deadlock condition.
The fix involves repositioning the wiphy_work_flush() call earlier in the execution path to ensure the queued work item is proactively run before the wiphy lock is held for extended periods, covering both NULL and non-NULL vif scenarios.
Attack Vector
This is a local denial of service vulnerability that can be triggered during normal Wi-Fi operations. The deadlock is triggered through normal system operations involving Wi-Fi management frame handling, specifically during authentication and association processes with access points.
The vulnerability does not require malicious intent to trigger—it can occur during routine Wi-Fi connectivity operations on affected systems with ath12k-compatible wireless hardware.
Detection Methods for CVE-2026-23130
Indicators of Compromise
- Kernel log messages indicating failed management transmit queue flushes: failed to flush mgmt transmit queue, mgmt pkts pending
- Repeated Wi-Fi authentication timeouts and retries in system logs
- Association abort messages with reason code 3 (DEAUTH_LEAVING)
- System unresponsiveness or hangs related to Wi-Fi operations
- ath12k driver stack traces showing lock contention in kernel logs
Detection Strategies
- Monitor kernel logs for ath12k driver error messages related to management frame queue flushing
- Implement monitoring for Wi-Fi authentication failure patterns on systems with WCN7850 adapters
- Check for kernel version and ath12k driver module version against patched versions
- Monitor system responsiveness during Wi-Fi connectivity changes
Monitoring Recommendations
- Configure syslog alerting for ath12k_pci error messages
- Implement network monitoring to detect repeated authentication failures
- Monitor kernel lockup detection mechanisms for deadlock-related warnings
- Track system stability metrics on endpoints with ath12k wireless hardware
How to Mitigate CVE-2026-23130
Immediate Actions Required
- Update the Linux kernel to a version containing the fix commits
- Monitor systems with ath12k wireless adapters for authentication failures
- Consider temporary use of wired connections on critical systems until patching is complete
- Review kernel logs for evidence of the deadlock condition
Patch Information
The vulnerability has been resolved in the Linux kernel. The fix repositions the wiphy_work_flush() call in ath12k_mac_flush() to occur earlier in the execution path, ensuring the queued transmission work item is proactively run before the wiphy lock creates a deadlock scenario.
Patch commits are available:
- Kernel Git Commit Details - Primary fix commit (06ac2aa13f70)
- Kernel Git Commit Update - Additional commit (f88e9fc30a26)
The fix was tested on WCN7850 hw2.0 PCI with firmware WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3.
Workarounds
- Use wired Ethernet connections as an alternative to Wi-Fi on affected systems
- Disable the ath12k driver and use alternative wireless adapters where possible
- Avoid triggering flush operations by minimizing Wi-Fi interface state changes
- Consider using older kernel versions without the wiphy work conversion if the patch cannot be immediately applied
# Check current kernel version for ath12k driver status
uname -r
# List loaded ath12k modules
lsmod | grep ath12k
# Check kernel logs for deadlock indicators
dmesg | grep -i "ath12k.*flush"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
