Description
In the Linux kernel, the following vulnerability has been resolved:

mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations

ieee80211_chan_bw_change() iterates all stations and accesses
link->reserved.oper via sta->sdata->link[link_id]. For stations on
AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to
the VLAN sdata, whose link never participates in chanctx reservations.
This leaves link->reserved.oper zero-initialized with chan == NULL,
causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()
when accessing chandef->chan->band during CSA.

Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()
before accessing link data.

[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Published: 2026-04-03
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference occurs in the mac80211 subsystem of the Linux kernel when an AP_VLAN station undergoes a channel width change. During the transition, the driver accesses link data that is uninitialized for VLAN interfaces, leading to a dereference of a null pointer in __ieee80211_sta_cap_rx_bw(). The result is a kernel panic, which manifests as a system crash or reboot.

Affected Systems

The vulnerability affects Linux kernel implementations that contain the unpatched mac80211 code and operate with AP_VLAN (4‑address WDS) interfaces. Because no specific version range is listed, any kernel prior to the application of the fix commit is potentially vulnerable. The vendor is Linux and the product is the Linux kernel.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of 0.00025 (<1%) suggests a low but non‑zero probability of exploitation, but it is not listed in CISA’s KEV catalog. The likely attack vector is through crafted IEEE 802.11 traffic directed at the vulnerable driver; an attacker would need to send such traffic to a device running the affected kernel. The vulnerability does not provide a path to remote code execution, but it can cause a denial of service by crashing the system.

Generated by OpenCVE AI on May 20, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for CVE-2026-31394.
  • If a patch is not yet available, disable AP_VLAN (4‑address WDS) traffic on the wireless interface until a patched kernel can be installed.
  • Monitor system logs (e.g., dmesg or /var/log/kern.log) for indications of kernel OOPS or panic events related to ieee80211_chan_bw_change.

Generated by OpenCVE AI on May 20, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 20 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Title mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:07:51.015Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31394

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:37.597

Modified: 2026-05-20T15:08:26.533

Link: CVE-2026-31394

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31394 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:00:14Z

Weaknesses