A flaw in the Linux kernel’s nl80211 parsing code causes the counter that tracks EMA RNR elements to overflow when more than 255 elements are supplied. Because the code already uses this counter to allocate a flexible array, the overflow can result in an improperly sized buffer and potentially corrupt kernel memory or crash the kernel. The fix simply rejects input beyond the 255 element limit, restoring the parser to match its data structure. The nature of the bug is a buffer overflow combined with an integer wraparound, which leads to loss of kernel integrity or availability.

All Linux kernels that include the nl80211 wireless subsystem are potentially vulnerable until the code that rejects oversized EMA RNR lists is applied. The bug is part of the default kernel shipped by major distributions; any kernel prior to the commit that introduced the rejection logic is considered vulnerable. No specific version range is supplied in the advisory, so all earlier releases should be treated as affected.

The CVSS score is not provided, the EPSS score is unavailable, and the vulnerability is not listed in CISA KEV. The likely attack vector is inferred to be the reception of a crafted NL80211 message, which an attacker could deliver from a local user with wireless configuration privileges or from a compromised wireless management interface. Because the exploit requires privileged interaction with the kernel’s wireless subsystem, the exposure is limited, and no active exploits are known. The potential impact of a successful exploit is severe kernel memory corruption or a crash that results in a denial of service.