5.5
CVE-2026-31394
- EPSS 0.11%
- Veröffentlicht 03.04.2026 15:15:58
- Zuletzt bearbeitet 20.05.2026 15:08:26
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 6.11 < 6.12.78
Linux ≫ Linux Kernel Version >= 6.13 < 6.18.20
Linux ≫ Linux Kernel Version >= 6.19 < 6.19.10
Linux ≫ Linux Kernel Version7.0 Updaterc1
Linux ≫ Linux Kernel Version7.0 Updaterc2
Linux ≫ Linux Kernel Version7.0 Updaterc3
Linux ≫ Linux Kernel Version7.0 Updaterc4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.11% | 0.017 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-476 NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b
https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6
https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5
https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853