CVE-2026-23130 (GCVE-0-2026-23130)

Vulnerability from cvelistv5 – Published: 2026-02-14 15:09 – Updated: 2026-02-14 15:09
VLAI?
Title
wifi: ath12k: fix dead lock while flushing management frames
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dead lock while flushing management frames Commit [1] converted the management transmission work item into a wiphy work. Since a wiphy work can only run under wiphy lock protection, a race condition happens in below scenario: 1. a management frame is queued for transmission. 2. ath12k_mac_op_flush() gets called to flush pending frames associated with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush() the process waits for the transmission done. 3. Since wiphy lock has been taken by the flush process, the transmission work item has no chance to run, hence the dead lock. >From user view, this dead lock results in below issue: wlp8s0: authenticate with xxxxxx (local address=xxxxxx) wlp8s0: send auth to xxxxxx (try 1/3) wlp8s0: authenticate with xxxxxx (local address=xxxxxx) wlp8s0: send auth to xxxxxx (try 1/3) wlp8s0: authenticated wlp8s0: associate with xxxxxx (try 1/3) wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING) ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1 The dead lock can be avoided by invoking wiphy_work_flush() to proactively run the queued work item. Note actually it is already present in ath12k_mac_op_flush(), however it does not protect the case where vif being NULL. Hence move it ahead to cover this case as well. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 56dcbf0b520796e26b2bbe5686bdd305ad924954 , < 06ac2aa13f701a0296e92f5f54ae24224d426b28 (git)
Affected: 56dcbf0b520796e26b2bbe5686bdd305ad924954 , < f88e9fc30a261d63946ddc6cc6a33405e6aa27c3 (git)
Create a notification for this product.
    Linux Linux Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "06ac2aa13f701a0296e92f5f54ae24224d426b28",
              "status": "affected",
              "version": "56dcbf0b520796e26b2bbe5686bdd305ad924954",
              "versionType": "git"
            },
            {
              "lessThan": "f88e9fc30a261d63946ddc6cc6a33405e6aa27c3",
              "status": "affected",
              "version": "56dcbf0b520796e26b2bbe5686bdd305ad924954",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dead lock while flushing management frames\n\nCommit [1] converted the management transmission work item into a\nwiphy work. Since a wiphy work can only run under wiphy lock\nprotection, a race condition happens in below scenario:\n\n1. a management frame is queued for transmission.\n2. ath12k_mac_op_flush() gets called to flush pending frames associated\n   with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush()\n   the process waits for the transmission done.\n3. Since wiphy lock has been taken by the flush process, the transmission\n   work item has no chance to run, hence the dead lock.\n\n\u003eFrom user view, this dead lock results in below issue:\n\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\n wlp8s0: send auth to xxxxxx (try 1/3)\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\n wlp8s0: send auth to xxxxxx (try 1/3)\n wlp8s0: authenticated\n wlp8s0: associate with xxxxxx (try 1/3)\n wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)\n ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1\n\nThe dead lock can be avoided by invoking wiphy_work_flush() to proactively\nrun the queued work item. Note actually it is already present in\nath12k_mac_op_flush(), however it does not protect the case where vif\nbeing NULL. Hence move it ahead to cover this case as well.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-14T15:09:58.239Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/06ac2aa13f701a0296e92f5f54ae24224d426b28"
        },
        {
          "url": "https://git.kernel.org/stable/c/f88e9fc30a261d63946ddc6cc6a33405e6aa27c3"
        }
      ],
      "title": "wifi: ath12k: fix dead lock while flushing management frames",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23130",
    "datePublished": "2026-02-14T15:09:58.239Z",
    "dateReserved": "2026-01-13T15:37:45.971Z",
    "dateUpdated": "2026-02-14T15:09:58.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23130\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-14T15:16:08.277\",\"lastModified\":\"2026-02-14T15:16:08.277\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath12k: fix dead lock while flushing management frames\\n\\nCommit [1] converted the management transmission work item into a\\nwiphy work. Since a wiphy work can only run under wiphy lock\\nprotection, a race condition happens in below scenario:\\n\\n1. a management frame is queued for transmission.\\n2. ath12k_mac_op_flush() gets called to flush pending frames associated\\n   with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush()\\n   the process waits for the transmission done.\\n3. Since wiphy lock has been taken by the flush process, the transmission\\n   work item has no chance to run, hence the dead lock.\\n\\n\u003eFrom user view, this dead lock results in below issue:\\n\\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\\n wlp8s0: send auth to xxxxxx (try 1/3)\\n wlp8s0: authenticate with xxxxxx (local address=xxxxxx)\\n wlp8s0: send auth to xxxxxx (try 1/3)\\n wlp8s0: authenticated\\n wlp8s0: associate with xxxxxx (try 1/3)\\n wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)\\n ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1\\n\\nThe dead lock can be avoided by invoking wiphy_work_flush() to proactively\\nrun the queued work item. Note actually it is already present in\\nath12k_mac_op_flush(), however it does not protect the case where vif\\nbeing NULL. Hence move it ahead to cover this case as well.\\n\\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/06ac2aa13f701a0296e92f5f54ae24224d426b28\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f88e9fc30a261d63946ddc6cc6a33405e6aa27c3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.