Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating the struct cfg80211_registered_device::int_scan_req member. Seen with syzkaller: UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5 index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]') This was missed in the initial conversions because I failed to locate the allocation likely due to the "sizeof(void *)" not matching the "channels" array type.
References (4)
Scores
CVSS v3
7.8
EPSS
0.0007
EPSS Percentile
20.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-129
Status
published
Products (5)
linux/Kernel
6.13.0 - 6.14.8linux
linux/Kernel
6.6.0 - 6.6.92linux
linux/Kernel
6.7.0 - 6.12.30linux
linux/linux_kernel
6.15 rc1 (6 CPE variants)
linux/linux_kernel
6.6 - 6.6.92
Published
Jun 18, 2025
Tracked Since
Feb 18, 2026