HIGH
mac80211 Radar UAF
CVE-2026-46166
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger a use-after-free vulnerability in the WiFi radar detection subsystem, leading to kernel crashes and denial of service. This affects systems with WiFi hardware that supports DFS (Dynamic Frequency Selection) radar detection capabilities.
Vulnerability analysis
The vulnerability occurs in ieee80211_dfs_radar_detected_work() where the code iterates over a list of channel contexts using list_for_each_entry(). During iteration, the call to ieee80211_dfs_cac_cancel() can free and remove the currently iterated chanctx from the list, causing subsequent list traversal to access freed memory. The fix replaces the unsafe list iteration with list_for_each_entry_safe(), which stores the next pointer before processing each entry, preventing use-after-free when list elements are removed during iteration. This bug was introduced when MLO (Multi-Link Operation) support was added to handle radar detection across multiple channel contexts.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | 887ece6c23b4 |
| 6.18 | 6.18.30 | 7577a4b8a10f |
| 7.0 | 7.0.7 | 120149fb3ebc |
| mainline | 7.1-rc3 | ac8eb3e18f41 |