CVE-2026-53318 Overview
CVE-2026-53318 is a NULL pointer dereference vulnerability in the Linux kernel's mt76 wireless driver, specifically affecting the MediaTek MT7925 Wi-Fi chipset support. The flaw resides in the mt7925_tx_check_aggr() function, which dereferences the sta (station) pointer before verifying that it is non-NULL. When the kernel processes a transmit path where sta is NULL, the resulting dereference triggers a kernel crash. The upstream fix reorders the NULL check to precede the dereference. This class of defect is tracked as [CWE-476].
Critical Impact
A NULL sta pointer reaching mt7925_tx_check_aggr() causes a kernel oops, resulting in denial of service on systems using the affected MediaTek MT7925 Wi-Fi driver.
Affected Products
- Linux kernel builds shipping the mt76 driver with mt7925 chipset support
- Systems using MediaTek MT7925 Wi-Fi hardware
- Distributions tracking mainline and stable kernel trees prior to the fix commits
Discovery Timeline
- 2026-06-26 - CVE-2026-53318 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-53318
Vulnerability Analysis
The defect lives in the transmit-side aggregation check for the MediaTek MT7925 Wi-Fi driver inside the mt76 subsystem. The function mt7925_tx_check_aggr() accesses fields on the sta (ieee80211_sta) pointer before validating it. Under conditions where the transmit path invokes this helper without an associated station — such as broadcast, multicast, or management frames — sta can legitimately be NULL. Dereferencing this NULL pointer results in a kernel oops and halts the affected code path. On most kernel configurations, the resulting fault terminates the offending context and can render the Wi-Fi stack unusable until reboot.
Root Cause
The root cause is an ordering bug: the driver reads members of sta before it performs the NULL check that would guard the access. The upstream patch series moves the if (!sta) guard to precede any field access on the pointer, aligning the function with the invariant that sta may be NULL in the transmit path. Fixes landed across stable branches in commits 28ed0b6, 83ae3a1, 93d0694, and b033242.
Attack Vector
Triggering the fault requires a transmit code path in which mt7925_tx_check_aggr() runs with a NULL station pointer. This is typically reached by frames that are not tied to a peer station, including group-addressed traffic and certain management frames. A local user with the ability to influence Wi-Fi traffic, or an adjacent attacker able to induce specific frame exchanges, can produce the crash. The observable impact is a kernel-side denial of service on the affected host.
No verified public exploit code is available. The vulnerability is described in prose based on the upstream commit messages referenced in the Linux stable tree.
Detection Methods for CVE-2026-53318
Indicators of Compromise
- Kernel oops or panic messages referencing mt7925_tx_check_aggr in dmesg or journalctl -k output
- Sudden loss of Wi-Fi connectivity on systems using MediaTek MT7925 hardware, accompanied by driver stack traces
- Repeated crashes correlated with broadcast, multicast, or management frame activity on the wireless interface
Detection Strategies
- Inventory Linux hosts running the mt76/mt7925 driver and compare their kernel versions against the commits 28ed0b6, 83ae3a1, 93d0694, and b033242
- Parse kernel ring buffer logs for NULL pointer dereference stack traces originating in mt7925_tx_check_aggr or adjacent mt76 symbols
- Track kernel package versions across managed endpoints to identify hosts still on unpatched builds
Monitoring Recommendations
- Forward kern.log and journal entries to a central log store and alert on BUG: or Oops: events referencing mt7925 symbols
- Monitor for unexpected Wi-Fi interface resets, driver reload events, or NetworkManager reconnect storms on affected hardware
- Track host uptime regressions on laptops and IoT devices with MT7925 chipsets to spot recurring crash conditions
How to Mitigate CVE-2026-53318
Immediate Actions Required
- Update the Linux kernel to a version containing one of the fix commits (28ed0b6, 83ae3a1, 93d0694, b033242) from the distribution vendor
- Prioritize patching on endpoints and edge devices that use MediaTek MT7925 Wi-Fi hardware
- Reboot systems after applying the kernel update to load the fixed driver
Patch Information
The fix moves the NULL check for sta ahead of any dereference in mt7925_tx_check_aggr(). The corrective commits are available in the Linux stable tree: Commit 28ed0b6, Commit 83ae3a1, Commit 93d0694, and Commit b033242. Consume the fix through the appropriate distribution kernel package rather than backporting manually where possible.
Workarounds
- Where patching is not immediately possible, unload the mt7925e or mt7925u module and disable the affected Wi-Fi interface on hosts that can operate on wired networking
- Restrict physical and adjacent network access to systems running unpatched MT7925 drivers to reduce the opportunity to induce the crash
- Blocklist the vulnerable module in /etc/modprobe.d/ on servers or appliances that do not require Wi-Fi
# Example: temporarily disable the vulnerable driver until patched
sudo modprobe -r mt7925e
echo 'blacklist mt7925e' | sudo tee /etc/modprobe.d/disable-mt7925.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

