CVE-2026-31394

MEDIUM

mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations

Title source: cna

Description

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]

References (4)

Core 4

Core References

https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b

https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6

https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5

https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 3.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-476

Status published

Products (17)

Linux/Linux < 6.11

Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 3c6629e859a2211a1fbb4868f915413f80001ca5

Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 5a86d4e920d9783a198e39cf53f0e410fba5fbd6

Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 65c25b588994dd422fea73fa322de56e1ae4a33b

Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 672e5229e1ecfc2a3509b53adcb914d8b024a853

Linux/Linux 6.11

Linux/Linux 6.12.78 - 6.12.*

Linux/Linux 6.18.20 - 6.18.*

Linux/Linux 6.19.10 - 6.19.*

Linux/Linux 7.0

... and 7 more

Published Apr 03, 2026

Tracked Since Apr 03, 2026