Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration

link_id is taken from the ML Reconfiguration element (control & 0x000f),
so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS
(15) elements, so index 15 is out-of-bounds. Skip subelements with
link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds
write.
Published: 2026-03-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds write in the Linux kernel’s mac80211 wireless subsystem occurs when processing the ML Reconfiguration element of an IEEE 802.11 frame. The link_id field can be 15, but the link_removal_timeout array contains only 15 entries indexed 0‑14. Writing to index 15 corrupts the stack, potentially overwriting kernel data structures and allowing an attacker to execute arbitrary code with kernel privileges. This vulnerability is a classic CWE‑129 (unchecked new) and CWE‑787 (out‑of‑bounds write) that can lead to privilege escalation.

Affected Systems

The flaw exists in the upstream Linux kernel before the commit that added the bounds check. All distributions shipping kernels without the fix, including kernel versions 6.5 and earlier, 7.0‑rc1 and later, are vulnerable. Any system that enables the 802.11 stack on a wireless interface is affected; devices that never load the mac80211 driver are not impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, though the EPSS score is below 1%, so exploitation has not yet been widely observed. The vulnerability can be triggered by sending a specially crafted ML Reconfiguration frame over a Wi‑Fi network that the target device is connected to; proximity to the victim may be required. Because it results in a kernel stack overflow, the exploit can give an attacker full control of the system. The vulnerability is not in CISA’s KEV catalog, but the lack of public exploits does not mitigate the need for prompt remediation.

Generated by OpenCVE AI on May 26, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit adding the bounds check, using the latest patch from your distribution’s repository.
  • Reboot the system so that the updated kernel runs, ensuring the new code is active.
  • As a temporary measure until the update is applied, disable or power‑down the wireless interface or isolate the device from untrusted Wi‑Fi networks to prevent the delivery of malicious ML Reconfiguration frames.

Generated by OpenCVE AI on May 26, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129
CPEs cpe:2.3:o:linux:linux_kernel:6.5:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.
Title wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:03:08.962Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23246

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T11:16:16.570

Modified: 2026-05-22T14:49:27.737

Link: CVE-2026-23246

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23246 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:00:11Z

Weaknesses