HIGH
mac80211 TDLS Validation
CVE-2026-43052
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
KernelScan AI3.8LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check tdls flag in ieee80211_tdls_oper When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the station exists but not whether it is actually a TDLS station. This allows the operation to proceed for non-TDLS stations, causing unintended side effects like modifying channel context and HT protection before failing. Add a check for sta->sta.tdls early in the ENABLE_LINK case, before any side effects occur, to ensure the operation is only allowed for actual TDLS peers.
02KernelScan AI Analysis
Risk summary
Administrators with CAP_NET_ADMIN can trigger unintended modifications to WiFi channel context and HT protection settings by calling TDLS operations on non-TDLS stations. This could cause operational issues in WiFi networks but requires elevated privileges to exploit.
Vulnerability analysis
The ieee80211_tdls_oper function fails to validate that a target station is actually a TDLS peer before performing TDLS-specific operations. When NL80211_TDLS_ENABLE_LINK is called, the code only checks station existence but not the sta->sta.tdls flag, allowing operations on regular stations that cause unintended side effects like channel context modifications. The fix adds a tdls flag check early in the validation to ensure operations only proceed for actual TDLS peers. Attack surface is limited to local netlink access requiring CAP_NET_ADMIN privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.209 | 6813a8b1b240 |
| 6.1 | 6.1.175 | 44839ea7e96b |
| 6.12 | 6.12.81 | 8148c2fda4eb |
| 6.18 | 6.18.22 | be81f17151fc |
| 6.19 | 6.19.12 | e77b2937aaa2 |
| 6.6 | 6.6.142 | ba5b43db126a |
| mainline | 7.0 | 7d73872d949c |