HIGH
mac80211 MLO UAF
CVE-2026-46125
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes. This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in WiFi mac80211 MLO connection handling can cause kernel memory corruption and potential information disclosure when connection preparation fails. Systems with WiFi MLO support and debugfs enabled are at risk of kernel crashes, information leaks, or potential code execution during WiFi association failures.
Vulnerability analysis
The vulnerability occurs in ieee80211_prep_connection() when MLO connection preparation fails and the interface is reset from MLD to non-MLD mode. The vif's debugfs is recreated during this reset, but existing stations associated with removed links remain in memory, creating dangling references. The fix properly tracks and destroys existing stations in the error path using __sta_info_destroy() to prevent use-after-free conditions. Because the freed heap objects can be accessed through debugfs, both information disclosure and memory corruption are possible. Attack surface is local WiFi interfaces with MLO support, requiring connection failure conditions and CONFIG_MAC80211_DEBUGFS enabled.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | afcbaed89cdc |
| 6.18 | 6.18.30 | 9e28654f79f4 |
| 6.6 | 6.6.140 | fe75fa1ac9a9 |
| 7.0 | 7.0.7 | 1c2b72ea8988 |
| mainline | 7.1-rc3 | 283fc9e44ff5 |