Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: radiotap: reject radiotap with unknown bits

The radiotap parser is currently only used with the radiotap
namespace (not with vendor namespaces), but if the undefined
field 18 is used, the alignment/size is unknown as well. In
this case, iterator->_next_ns_data isn't initialized (it's
only set for skipping vendor namespaces), and syzbot points
out that we later compare against this uninitialized value.

Fix this by moving the rejection of unknown radiotap fields
down to after the in-namespace lookup, so it will really use
iterator->_next_ns_data only for vendor namespaces, even in
case undefined fields are present.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A flaw in the Linux kernel’s radiotap parser leaves an internal pointer uninitialized when it encounters an undefined field. The parser later compares against this garbage value, which can trigger undefined behavior such as a kernel panic, effectively taking the system offline. The weakness is a use of an uninitialized variable, classified as CWE-824.

Affected Systems

All Linux kernel releases before the commit that adds a check for unknown radiotap fields are affected. The issue resides in the generic wireless (wifi) framework and does not involve vendor‑specific extensions. Any distribution running an older kernel version without the patch is at risk.

Risk and Exploitability

The CVSS score of 5.5 and an EPSS below 1% indicate moderate severity and a low likelihood of exploitation. The likely attack vector is inferred to be the injection of malformed radiotap data in wireless frames, which triggers the uninitialized comparison. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on March 26, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that adds an explicit check for unknown radiotap fields
  • Verify that the running kernel includes the patch, e.g., by checking the kernel version or commit hash
  • Reboot the system or reload the kernel modules to ensure the patch is active

Generated by OpenCVE AI on March 26, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: radiotap: reject radiotap with unknown bits The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipping vendor namespaces), and syzbot points out that we later compare against this uninitialized value. Fix this by moving the rejection of unknown radiotap fields down to after the in-namespace lookup, so it will really use iterator->_next_ns_data only for vendor namespaces, even in case undefined fields are present.
Title wifi: radiotap: reject radiotap with unknown bits
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:14.832Z

Reserved: 2026-01-13T15:37:46.003Z

Link: CVE-2026-23367

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:36.000

Modified: 2026-04-18T09:16:21.593

Link: CVE-2026-23367

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23367 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:12Z

Weaknesses