CVE-2026-31394 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations

ieee80211_chan_bw_change() iterates all stations and accesses
link->reserved.oper via sta->sdata->link[link_id]. For stations on
AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to
the VLAN sdata, whose link never participates in chanctx reservations.
This leaves link->reserved.oper zero-initialized with chan == NULL,
causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()
when accessing chandef->chan->band during CSA.

Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()
before accessing link data.

[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]

Published: 2026-04-03

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the mac80211 subsystem of the Linux kernel, where the ieee80211_chan_bw_change() routine accesses station link data that is uninitialized for AP_VLAN stations. This leads to a NULL pointer dereference when a channel switch announcement is processed, causing the kernel to panic. The result is a denial of service that can bring the entire system down. The weakness is a classic NULL pointer dereference scenario found in kernel code that handles wireless channel width changes.

Affected Systems

All installations of the Linux kernel that include the mac80211 module prior to the commit that implements the fix are affected. The issue specifically impacts configurations that use AP_VLAN interfaces (4‑address WDS clients). No precise kernel version range is supplied, so any kernel build before the patch should be considered vulnerable.

Risk and Exploitability

CVSS and EPSS scores are not provided, and the vulnerability is not listed in the CISA KEV catalog, so public exploitation data is limited. It is inferred that an attacker could trigger the crash by inducing a channel width change on an AP_VLAN station, likely via a crafted network frame sent over Wi‑Fi. Because the flaw leads to a kernel panic, the risk is significant, and the vulnerability presents a remote denial‑of‑service threat to affected hosts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 65c25b588994dd422fea73fa322de56e1ae4a33b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 5a86d4e920d9783a198e39cf53f0e410fba5fbd6
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 3c6629e859a2211a1fbb4868f915413f80001ca5
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 672e5229e1ecfc2a3509b53adcb914d8b024a853

Linux

affected

Version	Status	Constraints
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,65c25b588994dd422fea73fa322de56e1ae4a33b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5a86d4e920d9783a198e39cf53f0e410fba5fbd6)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3c6629e859a2211a1fbb4868f915413f80001ca5)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,672e5229e1ecfc2a3509b53adcb914d8b024a853)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the mac80211 patch (identified by commit 3c6629e859a2211a1fbb4868f915413f80001ca5).
If an immediate kernel upgrade is not feasible, disable or remove AP_VLAN (4‑address WDS) interfaces from the system.
Check your distribution’s security advisories for a patched kernel release and apply it promptly.
Monitor system logs for kernel panics or crash dumps after Wi‑Fi channel changes and investigate any anomalous behavior.

Generated by OpenCVE AI on April 3, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5
https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6
https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b
https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853
https://lore.kernel.org/linux-cve-announce/2026040325-CVE-2026-31394-26ac@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31394
https://www.cve.org/CVERecord?id=CVE-2026-31394

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026040325-CVE-2026-31394-26ac@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31394 https://www.cve.org/CVERecord?id=CVE-2026-31394
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Title		mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5 https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6 https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:58.806Z

Updated: 2026-04-03T15:15:58.806Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31394

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:37.597

Modified: 2026-04-03T16:16:37.597

Link: CVE-2026-31394

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31394 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:15:32Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object