HIGH
mac80211 LinkID OOB
CVE-2026-23246
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.
02KernelScan AI Analysis
Risk summary
Adjacent attackers within WiFi range can trigger a stack buffer overflow in the WiFi mac80211 subsystem by sending malformed ML Reconfiguration elements with link_id 15. This can lead to kernel memory corruption, privilege escalation, or system crashes on devices with WiFi enabled.
Vulnerability analysis
The vulnerability occurs in ieee80211_ml_reconfiguration() where link_id is extracted from a received ML Reconfiguration element using (control & 0x000f), allowing values 0-15. However, the link_removal_timeout[] array has only IEEE80211_MLD_MAX_NUM_LINKS (15) elements, making index 15 out-of-bounds. The original code directly uses this attacker-controlled link_id to index the stack-allocated array, causing a stack out-of-bounds write. The fix adds a bounds check to skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS. This is reachable over the WiFi interface when processing Multi-Link Device (MLD) reconfiguration frames, requiring no privileges on the target system.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.77 | bfde158d5d13 |
| 6.18 | 6.18.17 | f35ceec54d48 |
| 6.19 | 6.19.7 | d58d71c21676 |
| 6.6 | 6.6.130 | 650981e718e6 |
| mainline | 7.0 | 162d331d833d |