8.8

CVE-2026-46125

wifi: mac80211: remove station if connection prep fails

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: remove station if connection prep fails

If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the link of the vif
being removed. Delete an existing station. Any "new_sta" is
already being removed, so that doesn't need changes.

This fixes a use-after-free/double-free in debugfs if that's
enabled, because a vif going from MLD (and to MLD, but that's
not relevant here) recreates its entire debugfs.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 6.0 < 6.1.176
LinuxLinux Kernel Version >= 6.2 < 6.6.140
LinuxLinux Kernel Version >= 6.7 < 6.12.88
LinuxLinux Kernel Version >= 6.13 < 6.18.30
LinuxLinux Kernel Version >= 6.19 < 7.0.7
LinuxLinux Kernel Version7.1 Updaterc1
LinuxLinux Kernel Version7.1 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.3% 0.218
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 8.8 2.8 5.9
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 6.8 0.9 5.9
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

CWE-825 Expired Pointer Dereference

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2
Patch
https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a
Patch
https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0
Patch
https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1
Patch
https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4
Patch
https://git.kernel.org/stable/c/18fed0a209500bfea5c4c08609ec93855e4e500b
Patch
https://access.redhat.com/errata/RHSA-2026:27288
https://access.redhat.com/errata/RHSA-2026:27731
https://access.redhat.com/errata/RHSA-2026:27789
https://access.redhat.com/errata/RHSA-2026:26427
https://access.redhat.com/errata/RHSA-2026:26428
https://access.redhat.com/errata/RHSA-2026:27708
https://access.redhat.com/errata/RHSA-2026:26462
https://access.redhat.com/errata/RHSA-2026:26515
https://access.redhat.com/errata/RHSA-2026:26563
https://access.redhat.com/errata/RHSA-2026:27735
https://access.redhat.com/security/cve/CVE-2026-46125
https://bugzilla.redhat.com/show_bug.cgi?id=2482608
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46125.json