Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration

link_id is taken from the ML Reconfiguration element (control & 0x000f),
so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS
(15) elements, so index 15 is out-of-bounds. Skip subelements with
link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds
write.
Published: 2026-03-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

An out-of-bounds write occurs when the mac80211 subsystem processes the ML Reconfiguration element of an IEEE 802.11 frame; the link_id field can be 15 while the link_removal_timeout array only has 15 entries (indices 0‑14), so writing at index 15 corrupts stack memory. This memory corruption can overwrite kernel data structures and potentially be leveraged to execute arbitrary code with kernel privileges.

Affected Systems

The flaw is present in the Linux kernel’s wireless stack. All distributions that ship the upstream kernel without the committed bounds‑check are affected. No specific kernel versions are listed in the advisory, so any kernel before the fix commit can be considered vulnerable.

Risk and Exploitability

The CVSS score of 8.8 signals high severity, and though the EPSS score is below 1%, the risk remains significant. The likely attack vector is a malicious Wi‑Fi frame containing an ML Reconfiguration element with an out‑of‑range link_id; an attacker on the same wireless network could send such a frame to trigger the exploit. The vulnerability is not in CISA’s KEV catalog, however the absence of known exploits does not reduce the urgency of applying the patch.

Generated by OpenCVE AI on April 2, 2026 at 17:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the bounds‑check fix and reinstall the updated package.

Generated by OpenCVE AI on April 2, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.
Title wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:43:58.848Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23246

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T11:16:16.570

Modified: 2026-04-02T15:16:26.923

Link: CVE-2026-23246

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23246 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:30Z

Weaknesses