Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: radiotap: reject radiotap with unknown bits

The radiotap parser is currently only used with the radiotap
namespace (not with vendor namespaces), but if the undefined
field 18 is used, the alignment/size is unknown as well. In
this case, iterator->_next_ns_data isn't initialized (it's
only set for skipping vendor namespaces), and syzbot points
out that we later compare against this uninitialized value.

Fix this by moving the rejection of unknown radiotap fields
down to after the in-namespace lookup, so it will really use
iterator->_next_ns_data only for vendor namespaces, even in
case undefined fields are present.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A flaw in the Linux kernel’s radiotap parser leaves an internal pointer uninitialized when it encounters an undefined field. The parser later compares against this garbage value. Based on the description, it is inferred that this could trigger undefined behavior such as a kernel panic, effectively taking the system offline. The weakness is a use of an uninitialized variable, classified as CWE-824.

Affected Systems

All Linux kernel releases before the commit that adds a check for unknown radiotap fields are affected. The issue resides in the generic wireless (wifi) framework and does not involve vendor‑specific extensions. Any distribution running an older kernel version without the patch is at risk.

Risk and Exploitability

The CVSS score of 5.5 and an EPSS below 1% indicate moderate severity and a low likelihood of exploitation. Based on the description, it is inferred that the attack vector would be the injection of malformed radiotap data in wireless frames. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 28, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest stable Linux kernel version that includes the radiotap unknown field check (e.g., kernel commit c/c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 or later).
  • Reboot the system to load the patched kernel.
  • Deploy a monitoring solution that parses dmesg logs for radiotap‑related OOPS entries and alerts administrators if any occur, ensuring that the system remains stable after the update.

Generated by OpenCVE AI on April 28, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 24 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: radiotap: reject radiotap with unknown bits The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipping vendor namespaces), and syzbot points out that we later compare against this uninitialized value. Fix this by moving the rejection of unknown radiotap fields down to after the in-namespace lookup, so it will really use iterator->_next_ns_data only for vendor namespaces, even in case undefined fields are present.
Title wifi: radiotap: reject radiotap with unknown bits
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:05:30.219Z

Reserved: 2026-01-13T15:37:46.003Z

Link: CVE-2026-23367

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:36.000

Modified: 2026-04-24T18:41:25.547

Link: CVE-2026-23367

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23367 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:15:41Z

Weaknesses