CVE-2026-46125 - Vulnerability Details

- wifi: mac80211: remove station if connection prep fails

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: remove station if connection prep fails

If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the link of the vif
being removed. Delete an existing station. Any "new_sta" is
already being removed, so that doesn't need changes.

This fixes a use-after-free/double-free in debugfs if that's
enabled, because a vif going from MLD (and to MLD, but that's
not relevant here) recreates its entire debugfs.

Published: 2026-05-28

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s mac80211 wireless stack contains a bug that occurs when a multi‑link operation (MLO) connection preparation fails. The kernel resets the interface and removes the associated station, and the same station is also being deleted in a separate cleanup path for debugfs entries. This double deletion can trigger a use‑after‑free or double‑free when debugfs is enabled, leading to kernel memory corruption or an uncontrolled crash.

Affected Systems

All Linux kernel installations that incorporate the mac80211 subsystem, prior to the commit that removes the faulty station handling logic, and that have debugfs enabled. The vulnerability is vendor‑agnostic and applies across all distributions that ship the stock kernel, as indicated by the wide vendor list in the CNA data.

Risk and Exploitability

The CVSS score is not provided and the EPSS score is unavailable, but the defect directly affects kernel memory safety. Because the exploit requires inducing a specific failure in an MLO connection and relies on the presence of debugfs, the threat primarily poses a risk of localized denial of service rather than broad remote code execution. The vulnerability is not included in CISA’s Known Exploited Vulnerabilities catalog. An attacker with sufficient ability to influence the wireless interface or who can trigger the failure condition could cause a kernel crash, potentially leading to service disruption or additional compromise avenues.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`81151ce462e533551f3284bfdb8e0f461c9220e6`	affected	< fe75fa1ac9a92990f7fc3d34b17808fd933071b2
`81151ce462e533551f3284bfdb8e0f461c9220e6`	affected	< afcbaed89cdc1a001b43270cbf5394bb4804270a
`81151ce462e533551f3284bfdb8e0f461c9220e6`	affected	< 9e28654f79f443bca9b29ff3ae7cf18abfba58a0
`81151ce462e533551f3284bfdb8e0f461c9220e6`	affected	< 1c2b72ea89882aeb948340498391e69c58d466f1
`81151ce462e533551f3284bfdb8e0f461c9220e6`	affected	< 283fc9e44ff5b5ac967439b4951b80bd4299f4e4

Linux

affected

Version	Status	Constraints
`6.0`	affected	—
`0`	unaffected	< 6.0
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc3`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[81151ce462e533551f3284bfdb8e0f461c9220e6,fe75fa1ac9a92990f7fc3d34b17808fd933071b2)`	affected	code_commit	—
`[81151ce462e533551f3284bfdb8e0f461c9220e6,afcbaed89cdc1a001b43270cbf5394bb4804270a)`	affected	code_commit	—
`[81151ce462e533551f3284bfdb8e0f461c9220e6,9e28654f79f443bca9b29ff3ae7cf18abfba58a0)`	affected	code_commit	—
`[81151ce462e533551f3284bfdb8e0f461c9220e6,1c2b72ea89882aeb948340498391e69c58d466f1)`	affected	code_commit	—
`[81151ce462e533551f3284bfdb8e0f461c9220e6,283fc9e44ff5b5ac967439b4951b80bd4299f4e4)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.0`	affected	generic	—
`[0,6.0)`	unaffected	generic	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc3,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the fix for the mac80211 station removal logic.
If a kernel upgrade cannot be performed immediately, disable debugfs or restrict its access so that the double‑free cannot be triggered.
Verify that the system’s wireless drivers and firmware are compatible with the patched kernel and that no additional cleanup logic re‑introduces the issue.

Generated by OpenCVE AI on May 28, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1
https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4
https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0
https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a
https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2

History

Thu, 28 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes. This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.
Title		wifi: mac80211: remove station if connection prep fails
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1 https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4 https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0 https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:39.809Z

Updated: 2026-05-28T09:35:39.809Z

Reserved: 2026-05-13T15:03:33.099Z

Link: CVE-2026-46125

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:28.047

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46125

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T13:00:21Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object