CVE-2026-46248 Overview
CVE-2026-46248 is a Linux kernel vulnerability in the ath12k Wi-Fi driver used by Qualcomm WCN/QCN-series wireless chipsets. The flaw involves a stale link mapping in the ahvif->links_map structure when Multi-Link Operation (MLO) connection preparation fails before the arvif is fully created. When a subsequent arvif is initialized with the same link identifier, the stale mapping triggers a WARN_ON at drivers/net/wireless/ath/ath12k/mac.c:4271 inside ath12k_mac_op_change_vif_links. The defect impacts non-AP STA mode operations and can disrupt wireless connectivity on affected systems.
Critical Impact
A stale link mapping in the ath12k driver can produce kernel warnings and unstable wireless state during MLO authentication, affecting Wi-Fi 7 client connections on Qualcomm QCN9274 and related hardware.
Affected Products
- Linux kernel versions containing the ath12k driver prior to the fix commits
- Systems using Qualcomm QCN9274 hw2.0 PCI wireless hardware (tested platform)
- Linux distributions shipping Wi-Fi 7 ath12k support with MLO enabled
Discovery Timeline
- 2026-06-03 - CVE-2026-46248 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46248
Vulnerability Analysis
The vulnerability resides in the ath12k driver's Multi-Link Operation handling. When an arvif (ath12k virtual interface) is initialized in non-AP STA mode, the driver records the link in ahvif->links_map. If MLO connection preparation fails before the arvif is actually created, the arvif->is_created flag remains false. The error path then attempts to delete the associated links, but link deletion only proceeds when arvif->is_created is true. This logic gap leaves the ahvif structure holding a stale reference to an arvif that was initialized but never fully created.
When a new arvif is later initialized with the same link ID, the driver detects the inconsistent state and triggers WARN_ON inside ath12k_mac_op_change_vif_links. The call chain involves drv_change_vif_links, ieee80211_vif_update_links, ieee80211_prep_connection, and ieee80211_mgd_auth, indicating the issue surfaces during the IEEE 802.11 authentication flow initiated by user-space supplicants such as wpa_supplicant.
Root Cause
The root cause is asymmetric state tracking in the error path of MLO connection setup. The initialization routine populates ahvif->links_map unconditionally, while the cleanup routine gates link deletion behind arvif->is_created. Failures between these two points leave residual link mappings that conflict with future operations on the same link ID.
Attack Vector
The defect is reachable through normal Wi-Fi association attempts when MLO preparation fails. A local attacker or an adversarial wireless environment causing repeated MLO authentication failures could provoke the WARN condition and produce inconsistent driver state. The upstream fix unassigns the link VIF and clears ahvif->links_map when an arvif is initialized but not created, restoring symmetric cleanup. See the kernel commit log for the implementation.
Detection Methods for CVE-2026-46248
Indicators of Compromise
- Kernel warning messages referencing ath12k_mac_op_change_vif_links+0x140/0x180 in dmesg or journalctl output
- Repeated WARN_ON entries originating from drivers/net/wireless/ath/ath12k/mac.c:4271
- wpa_supplicant authentication failures coinciding with kernel stack traces involving drv_change_vif_links and ieee80211_vif_update_links
Detection Strategies
- Monitor kernel ring buffers for ath12k warnings using log shippers and centralized logging pipelines
- Audit running kernel versions against the patched commits listed by kernel.org stable maintainers
- Correlate Wi-Fi association failures on QCN9274 hardware with kernel taint flags introduced by WARN_ON
Monitoring Recommendations
- Forward /var/log/kern.log and journald entries to a centralized SIEM or log aggregation platform
- Alert on any WARN_ON originating from wireless driver call paths on managed Linux endpoints
- Track kernel package versions across the fleet to identify hosts still running pre-patch ath12k builds
How to Mitigate CVE-2026-46248
Immediate Actions Required
- Update affected Linux systems to a kernel version containing the upstream fixes referenced in the stable tree commits
- Inventory devices using Qualcomm QCN9274 or other ath12k-supported chipsets and prioritize their patching
- Validate that distribution backports include the link mapping fix before deploying broadly
Patch Information
The issue is resolved by three upstream commits in the Linux stable tree: 2c1ba9c2adf0, acd8319e834b, and da289440f04c. The fix unassigns the link VIF and clears ahvif->links_map when an arvif is only initialized but not created, preventing stale mappings from persisting across connection attempts.
Workarounds
- Disable Multi-Link Operation in wpa_supplicant configuration if patching is not immediately possible
- Restrict use of ath12k hardware to environments where MLO is not required until kernels are updated
- Reload the ath12k module after observed warnings to reset driver state as a temporary measure
# Verify running kernel version and ath12k module
uname -r
modinfo ath12k | grep -E '^(filename|version|srcversion)'
# Watch for ath12k warnings in real time
dmesg -wH | grep -i ath12k
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
