CVE-2026-24803 identifies a critical vulnerability classified as CWE-835 (Loop with Unreachable Exit Condition) in the coolsnowwolf LEDE open-source router firmware, specifically within the mt7615d Wi-Fi driver's embedded security modules. The vulnerability resides in the bn_lib.C source file, where a loop is constructed without a reachable exit condition, effectively causing an infinite loop during execution. This flaw affects all versions of coolsnowwolf LEDE up to and including r25.10.1. The infinite loop can be triggered remotely without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:N). The impact of this infinite loop is a denial of service (DoS) condition, where the affected device's availability is severely compromised due to the CPU being stuck in the loop, rendering the device unresponsive. The CVSS v4.0 base score of 9.2 reflects the critical severity, emphasizing the ease of exploitation and the high impact on availability. No patches or fixes have been published at the time of disclosure, and no known exploits are currently active in the wild. The vulnerability is particularly relevant for devices using the mt7615d Wi-Fi chipset running the coolsnowwolf LEDE firmware, which is popular in custom router firmware communities and embedded device deployments. The infinite loop could be exploited by an attacker sending crafted network packets to the vulnerable device, causing it to enter the loop and disrupt normal operations.

For European organizations, the primary impact of CVE-2026-24803 is a denial of service on network devices running the coolsnowwolf LEDE firmware with the mt7615d Wi-Fi driver. This can lead to network outages, loss of connectivity, and potential disruption of critical services relying on these devices. Organizations in sectors such as telecommunications, ISPs, and enterprises using custom or embedded routers with this firmware are at heightened risk. The unavailability of affected devices could impair business continuity, especially in environments where redundancy is limited or where these devices serve as critical network infrastructure. Additionally, the lack of authentication and user interaction requirements means attackers can remotely exploit this vulnerability without prior access, increasing the threat surface. Although no known exploits exist yet, the critical CVSS score suggests that once exploit code is developed, attacks could become widespread. The impact on confidentiality and integrity is minimal, but the availability impact is severe, potentially affecting operational technology and IoT deployments common in European industries.

1. Immediate mitigation should focus on network segmentation and access control to limit exposure of vulnerable devices to untrusted networks, especially the internet. 2. Employ firewall rules to restrict inbound traffic to the affected devices, allowing only trusted management hosts. 3. Monitor network traffic for unusual patterns that could indicate attempts to trigger the infinite loop. 4. Engage with the coolsnowwolf LEDE community and vendor channels to track the release of official patches or firmware updates addressing this vulnerability. 5. Where possible, replace or upgrade affected devices with versions not using the vulnerable mt7615d driver or switch to alternative firmware distributions with patches applied. 6. Implement redundancy and failover mechanisms in network design to mitigate potential downtime caused by device unavailability. 7. Conduct internal audits to inventory devices running coolsnowwolf LEDE firmware and assess exposure. 8. Prepare incident response plans specifically for denial of service scenarios affecting network infrastructure. 9. Avoid deploying untrusted or unverified network packets to vulnerable devices by employing intrusion detection/prevention systems (IDS/IPS) with custom rules once exploit signatures become available.