Богдан Пилипенко

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.12.0-rc5 **Description** The issue is related to an array overrun in the `rtw get tx power params()` function. This occurs when the value of `group` is 5 for channel 14, causing an out-of-bounds access in the `bw40 base` array. The problem arises because the dimension of `bw40 base` is 5, but the value of `group` exceeds this range. The fix involves adding the rate as an argument to `rtw get channel group()` and setting the group for channel 14 to 4 if the rate is less than or equal to `DESC RATE11M`. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the array overrun in `rtw get tx power params()`. Specifically, ensure that the kernel version is 5.12.0-rc5 or later. If updating is not feasible, consider applying the patch that fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines") to the affected kernel version.