EUVD-2026-40013

A vulnerability was detected in Tenda JD12L 16.03.53.23. The affected element is the function fromSetWifiGusetBasic of the file /goform/WifiGuestSet. Performing a manipulation of the argument shareSpeed results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is n...

CVE-2026-13516

CVE-2026-13516 affects Tenda JD12L 16.03.53.23. The vulnerable element is the function fromSetWifiGusetBasic in /goform/WifiGuestSet; manipulating the argument shareSpeed results in a stack-based buffer overflow. The attack can be initiated remotely, and public exploits exist. No remediation deta...

Acexy Wireless-N WiFi Repeater REV 1.0 - Repeater Password Disclosure

Acexy Wireless-N WiFi Repeater REV 1.0 is vulnerable to password disclosure because the password.html page of the web management interface contains the administrator account password in plaintext. id: CVE-2021-28937 info: name: Acexy Wireless-N WiFi Repeater REV 1.0 - Repeater Password Disclosure...

VelotiSmart Wifi - Directory Traversal

VelotiSmart WiFi B-380 camera devices allow directory traversal via the uc-http service 1.0.0, as demonstrated by /../../etc/passwd on TCP port 80. id: CVE-2018-14064 info: name: VelotiSmart Wifi - Directory Traversal author: 0xAkoko severity: critical description: VelotiSmart WiFi B-380 camera...

Netis Wifi Router - Information Disclosure

An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a...

EUVD-2026-39853

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925txcheckaggr Move the NULL check for 'sta' before dereferencing it to prevent a possible crash...

CVE-2026-53318

CVE-2026-53318 describes a fix in the Linux kernel’s wireless stack: for mt76/mt7925, a NULL pointer dereference in mt7925_tx_check_aggr() was mitigated by moving the NULL check for the 'sta' pointer before its dereference, preventing a possible crash. The vulnerability affects the mt7925 compone...

CVE-2026-53317

In CVE-2026-53317, a Linux kernel wifi mt76 mt7921 issue allowed a firmware crash when an AID exceeded 20 on IFTYPE_AP. Tests showed stock hostapd starts AIDs at 1, but a modified hostapd allocated at 65, triggering the crash. The fix enforces an upper limit on associated stations so AIDs above 2...

CVE-2026-53101

A flaw was found in the Linux kernel's mt7921 Wi-Fi driver. A potential deadlock can occur when the rocabortsync function attempts to cancel a work item while rocwork is still running and holding a mutex. This situation, which can arise during Wi-Fi station removal, causes both sides to block,...

UBUNTU-CVE-2026-53182

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject oversized EMA RNR lists nl80211parsernrelems stores the parsed element count in a u8-backed cfg80211rnrelems::cnt field and uses that count to size the flexible array allocation. Reject nested...

CVE-2026-38571

The CVE-2026-38571 entry concerns the Tenda N300 F3 (V603) router. It describes an unauthenticated UART debug console where cleartext WPA2 credentials can be exposed and rr/wr memory read/write commands lack authentication, enabling a physically proximate attacker to obtain credentials in clearte...

CVE-2026-53102

A flaw was found in the Linux kernel's mt76 Wi-Fi driver. This vulnerability, a memory leak, occurs when the mt76connacmcuallocstareq function allocates a socket buffer skb that is not properly freed if subsequent operations, such as mt76connacmcustawedupdate or mt76connacmcustakeytlv, fail. This...

CVE-2026-53182

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject oversized EMA RNR lists nl80211parsernrelems stores the parsed element count in a u8-backed cfg80211rnrelems::cnt field and uses that count to size the flexible array allocation. Reject nested...

CVE-2026-53257

The CVE-2026-53257 entry concerns the Linux kernel’s wifi stack (mac80211/cfg80211) where HE/EHT capability elements (HE/EHT cap and oper) must be consistent. The bug allowed a crash in mac80211 when eht_cap is set but eht_oper isn’t; the fix enforces that both HE and EHT elements are aligned to ...

EUVD-2026-39208

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: enforce HE/EHT cap/oper consistency Xiang Mei reports that mac80211 could crash if ehtcap is set but ehtoper isn't. Rather than fixing that for the individual users, enforce that both HE/EHT have consistent elemen...

CVE-2026-53258

The CVE describes a memory leak in the Linux kernel wlan 6 GHz scanning path. Root cause: rdev->int_scan_req is leaked when cfg80211_scan() fails, because the expected release at ___cfg80211_scan_done() doesn’t occur since rdev->scan_req is NULL at that point, causing the freeing function t...

CVE-2026-53257

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: enforce HE/EHT cap/oper consistency Xiang Mei reports that mac80211 could crash if ehtcap is set but ehtoper isn't. Rather than fixing that for the individual users, enforce that both HE/EHT have consistent elemen...

CVE-2026-53258

In the Linux kernel, the following vulnerability has been resolved: wifi: fix leak if split 6 GHz scanning fails rdev-intscanreq is leaked if cfg80211scan fails. Note that it's supposed to be released at cfg80211scandone but this doesn't happen as rdev-scanreq is NULL at that point, too, leading ...

CVE-2026-53182

CVE-2026-53182 affects the Linux kernel nl80211: rejects oversized EMA RNR lists in nl80211_parse_rnr_elems, using a u8 counter and capping at 255 to align with the underlying data structure. Several advisories (Red Hat, Debian family, Ubuntu OSV entries, and Root) confirm patches are released in...

CVE-2026-53182 wifi: nl80211: reject oversized EMA RNR lists

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject oversized EMA RNR lists nl80211parsernrelems stores the parsed element count in a u8-backed cfg80211rnrelems::cnt field and uses that count to size the flexible array allocation. Reject nested...