On 18 June 2026 an out-of-bounds read in the MediaTek t7xx WWAN driver was disclosed on the oss-security list. That driver is the kernel module that drives the MediaTek T7xx 5G modems found in many laptops and devices with built-in cellular connectivity. The flaw was assigned CVE-2026-43495 with a CVSS v3 score of 8.8.
What goes wrong
The driver lives in drivers/net/wwan/t7xx in the kernel tree. While the link with the modem is being brought up, t7xx_port_enum_msg_handler() receives a port enumeration message and uses the port_count field sent by the modem itself as the loop bound when walking through the port descriptions. The catch: that value is never checked against the actual size of the received buffer.
A modem that declares port_count=65535 inside a buffer of just 12 bytes forces the driver to iterate well past the data that actually arrived. The result is a slab-out-of-bounds read of up to 262140 bytes of contiguous kernel memory. That memory may hold data from other system structures, so the bug opens the door to a kernel information leak.
Who is affected
This affects Linux systems that have the t7xx driver built and a MediaTek T7xx modem attached. You will mostly run into it on laptops with integrated 5G WWAN and on some embedded devices with cellular connectivity. The attack vector is the modem firmware itself: an attacker who controls or replaces that firmware, or plugs in tampered hardware, can trigger the out-of-bounds read. It is not exploitable from a web page or from the normal IP network, only from the modem side.
The high severity (8.8) reflects that leaking kernel memory can be chained with other techniques to escalate privileges or defeat mitigations such as KASLR.
Mitigation and patch
The fix landed in mainline before public disclosure and is being backported to the stable branches. The patch validates the buffer size before reading the port message headers, uses struct_size() to confirm there is enough data once port_count has been extracted, and adds equivalent checks in t7xx_parse_host_rt_data() when reading the rt_feature headers.
What to do:
- Update the kernel to a version that includes the fix. Major distributions are shipping corrected packages; check your distro’s security advisories.
- If you do not use MediaTek WWAN, you can unload the module (
rmmod mtk_t7xx) or blacklist it until the patch is in place. - In setups where the modem firmware comes from an untrusted source, treat it as attack surface.
You can check supported versions and the kernel lifecycle on our Linux kernel page.
Source
- Tenable — CVE-2026-43495: https://www.tenable.com/cve/CVE-2026-43495
- NVD — CVE-2026-43495: https://nvd.nist.gov/vuln/detail/CVE-2026-43495