Impact
A flaw in the Linux kernel’s nl80211 parsing code allows the counter that tracks EMA RNR elements to overflow when more than 255 elements are supplied. Because the counter is used to size a flexible array, the overflow can create an improperly sized buffer and may lead to kernel memory corruption or a kernel crash. The fix adds a check that rejects input once the count reaches 255, restoring correct bounds checking.
Affected Systems
All Linux kernels that include the nl80211 lists is applied. This includes the default kernel shipped by major distributions; any kernel release prior to the commit that added the rejection logic should be treated as affected.
Risk and Exploitability
The CVSS score of 7.8 indicates moderate to high severity, while the EPSS score is less than 1 % and it is not listed in CISA KEV. The likely attack vector is a crafted NL80211 message that an attacker could deliver from a local user with wireless configuration privileges or from a compromised wireless management interface. If such a message contains elements, the parser would overflow, potentially corrupting kernel memory or causing a denial of service. Because the exploit requires interaction with the wireless subsystem, the exposure is limited and no active exploits are known.
OpenCVE Enrichment
Debian DLA