Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: correctly decode TTLM with default link map

TID-To-Link Mapping (TTLM) elements do not contain any link mapping
presence indicator if a default mapping is used and parsing needs to be
skipped.

Note that access points should not explicitly report an advertised TTLM
with a default mapping as that is the implied mapping if the element is
not included, this is even the case when switching back to the default
mapping. However, mac80211 would incorrectly parse the frame and would
also read one byte beyond the end of the element.
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds read potentially exposing kernel memory
Action: Update Kernel
AI Analysis

Impact

TID-To-Link Mapping (TTLM) elements in the Linux mac80211 subsystem sometimes lack a presence indicator when a default mapping is used, causing the driver to incorrectly parse the frame and read one byte beyond the element’s end. This results in an out-of-bounds read (CWE-125), which could allow an attacker to glean unintended kernel data or, if repeated, lead to instability.

Affected Systems

The flaw exists in all Linux kernel implementations that include the mac80211 driver before the patch, notably the 6.19 release series (rc1 through rc7) and any downstream kernels that have not yet incorporated the fix. All Linux distributions relying on these kernels are affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate impact, and the EPSS score of less than 1% suggests a low current exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog. Attackers could exploit the flaw by transmitting specially crafted wireless frames to a victim system, making the attack vector likely remote over the wireless network. Because the issue requires only the presence of a malformed TTLM element, a legitimate attack would need control over the message stream or the ability to inject frames.

Generated by OpenCVE AI on April 17, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the patch for the TTLM parsing bug.
  • Close or reconfigure wireless access points to avoid advertising default TTLM mappings in their 802.11 frames, ensuring compliant behavior as the standard recommends.
  • Monitor network traffic for anomalous TTLM frames and consider applying firmware updates or disabling the TTLM feature on both client and AP devices if a patch is not immediately available.

Generated by OpenCVE AI on April 17, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

threat_severity

Moderate

Sat, 14 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: correctly decode TTLM with default link map TID-To-Link Mapping (TTLM) elements do not contain any link mapping presence indicator if a default mapping is used and parsing needs to be skipped. Note that access points should not explicitly report an advertised TTLM with a default mapping as that is the implied mapping if the element is not included, this is even the case when switching back to the default mapping. However, mac80211 would incorrectly parse the frame and would also read one byte beyond the end of the element.
Title wifi: mac80211: correctly decode TTLM with default link map
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:01:20.379Z

Reserved: 2026-01-13T15:37:45.976Z

Link: CVE-2026-23152

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T16:15:55.340

Modified: 2026-03-17T21:11:25.373

Link: CVE-2026-23152

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23152 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:45:25Z

Weaknesses