CVE-2026-43325 Overview
CVE-2026-43325 is a denial-of-service vulnerability in the Linux kernel's iwlwifi Intel wireless driver, specifically within the mvm (multi-virtual MAC) component. The flaw involves the MCC_ALLOWED_AP_TYPE_CMD command, which relates to Wi-Fi 6E (6 GHz band) support. Firmware mistakenly advertises support for this command on devices like the Intel AX201 that do not support 6E, causing the firmware to crash when the command is sent. The kernel fix prevents the driver from sending the command unless the device actually supports 6E.
Critical Impact
A local attacker with low privileges can trigger a firmware crash on affected Intel Wi-Fi adapters, leading to loss of wireless connectivity on the host system.
Affected Products
- Linux Kernel (stable branches receiving the backport)
- Linux Kernel 7.0 release candidates rc1 through rc7
- Systems using Intel iwlwifi driver with non-6E hardware such as Intel AX201
Discovery Timeline
- 2026-05-08 - CVE-2026-43325 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43325
Vulnerability Analysis
The vulnerability resides in the Intel wireless LAN driver (iwlwifi) mvm opmode within the Linux kernel. The driver sends MCC_ALLOWED_AP_TYPE_CMD to the firmware as part of regulatory and access-point type configuration tied to Wi-Fi 6E (the 6 GHz band). The firmware on certain devices, including the Intel AX201, incorrectly advertises support for this command despite lacking 6E capability. When the driver issues the command, the firmware crashes, taking down the wireless interface and triggering kernel-side recovery routines.
The defect is a missing capability check in the driver before issuing a firmware command. The fix conditions the transmission of MCC_ALLOWED_AP_TYPE_CMD on a verified 6E support flag rather than relying solely on the firmware's command-support advertisement.
Root Cause
The root cause is improper trust of a firmware-advertised capability bit. The driver assumed that if the firmware reported support for MCC_ALLOWED_AP_TYPE_CMD, it was safe to send. On non-6E hardware, the firmware reports support incorrectly, and dispatching the command leads to a crash. This is a logic error in the driver's command-gating path rather than a memory-safety issue, classified by NVD under NVD-CWE-noinfo.
Attack Vector
Exploitation requires local access with low privileges on a system using a vulnerable Intel Wi-Fi adapter. An actor able to trigger the driver's regulatory configuration path, such as through interface configuration changes that invoke the MCC (Mobile Country Code) update flow, can induce the firmware crash. The result is a high-impact availability loss confined to the wireless subsystem. There is no confidentiality or integrity impact, and no remote attack vector.
No public proof-of-concept exploit is available, and the issue has not been added to the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.013%.
Detection Methods for CVE-2026-43325
Indicators of Compromise
- Kernel log entries from the iwlwifi driver indicating firmware errors or NMI assertions following a regulatory or MCC configuration event.
- Repeated wireless interface resets or iwlwifi firmware reload messages in dmesg.
- Loss of Wi-Fi connectivity on systems with Intel AX201 or similar non-6E adapters running affected kernel builds.
Detection Strategies
- Inventory kernel versions across managed Linux hosts and flag systems running 7.0-rc1 through 7.0-rc7 or unpatched stable branches.
- Correlate iwlwifi firmware-crash events with preceding MCC_ALLOWED_AP_TYPE_CMD activity in verbose driver logs.
- Monitor for unexpected wireless interface downtime on endpoints using Intel Wi-Fi 6 (non-6E) hardware.
Monitoring Recommendations
- Centralize dmesg and journald output to a SIEM or log analytics platform and alert on iwlwifi firmware-error signatures.
- Track patch deployment progress against the upstream stable kernel commits referenced in the vendor advisory.
- Baseline wireless interface uptime to surface anomalous reset patterns indicative of repeated firmware crashes.
How to Mitigate CVE-2026-43325
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the Kernel.org commit 323156c3, commit 6607d0e5, and commit c0b3fa5e.
- Update to a distribution kernel that includes the iwlwifi mvm fix for MCC_ALLOWED_AP_TYPE_CMD gating.
- Restrict local account access on multi-user systems with affected Intel Wi-Fi hardware until patched.
Patch Information
The fix has been merged into the upstream Linux kernel stable tree across three commits. The patch adds a 6E support check before the driver issues MCC_ALLOWED_AP_TYPE_CMD. Distribution maintainers are expected to backport the change to supported stable branches. Verify the running kernel via uname -r and confirm the patched commit is present in the vendor's changelog.
Workarounds
- Disable the iwlwifi driver on affected hosts where wireless connectivity is non-essential by blacklisting the module in /etc/modprobe.d/.
- Switch to a wired network interface on systems with Intel AX201 adapters until the kernel update is deployed.
- Avoid triggering MCC and regulatory updates on unpatched systems, including manual iw reg set operations.
# Configuration example: blacklist iwlwifi until the patched kernel is installed
echo "blacklist iwlwifi" | sudo tee /etc/modprobe.d/blacklist-iwlwifi.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
