Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: nl80211: reject oversized EMA RNR lists

nl80211_parse_rnr_elems() stores the parsed element count in a
u8-backed cfg80211_rnr_elems::cnt field and uses that count to size
the flexible array allocation.

Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches
255, before incrementing it again. This keeps the parser aligned with
the data structure it fills and matches the existing bound check used
by nl80211_parse_mbssid_elems().
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s nl80211 parsing code allows the counter that tracks EMA RNR elements to overflow when more than 255 elements are supplied. Because the counter is used to size a flexible array, the overflow can create an improperly sized buffer and may lead to kernel memory corruption or a kernel crash. The fix adds a check that rejects input once the count reaches 255, restoring correct bounds checking.

Affected Systems

All Linux kernels that include the nl80211 lists is applied. This includes the default kernel shipped by major distributions; any kernel release prior to the commit that added the rejection logic should be treated as affected.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate to high severity, while the EPSS score is less than 1 % and it is not listed in CISA KEV. The likely attack vector is a crafted NL80211 message that an attacker could deliver from a local user with wireless configuration privileges or from a compromised wireless management interface. If such a message contains elements, the parser would overflow, potentially corrupting kernel memory or causing a denial of service. Because the exploit requires interaction with the wireless subsystem, the exposure is limited and no active exploits are known.

Generated by OpenCVE AI on June 28, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the nl80211 EMA RNR element list rejection logic
  • Reboot the system so the updated kernel becomes active
  • If automatic updates are unavailable, retrieve the upstream patch, apply it to the kernel source, rebuild, and install the updated image

Generated by OpenCVE AI on June 28, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-680

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-680

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject oversized EMA RNR lists nl80211_parse_rnr_elems() stores the parsed element count in a u8-backed cfg80211_rnr_elems::cnt field and uses that count to size the flexible array allocation. Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches 255, before incrementing it again. This keeps the parser aligned with the data structure it fills and matches the existing bound check used by nl80211_parse_mbssid_elems().
Title wifi: nl80211: reject oversized EMA RNR lists
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:55.496Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53182

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53182 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:30:07Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling