CVE-2026-31394
EUVD-2026-1877003.04.2026, 16:16
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 6.11 ≤ 𝑥 < 6.12.78 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.18.20 |
| linux | linux_kernel | 6.19 ≤ 𝑥 < 6.19.10 |
| linux | linux_kernel | 7.0:rc1 |
| linux | linux_kernel | 7.0:rc2 |
| linux | linux_kernel | 7.0:rc3 |
| linux | linux_kernel | 7.0:rc4 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||
|---|---|---|---|---|---|---|---|
| kernel-64kb |
| ||||||
| kernel-default |
| ||||||
| kernel-default-base |
| ||||||
| kernel-obs-build |
| ||||||
| kernel-source |
| ||||||
| kernel-zfcpdump |
|
Common Weakness Enumeration
Vulnerability Media Exposure