CVE-2026-31394
ADVISORY - nistSummary
In the Linux kernel, the following vulnerability has been resolved:
mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA.
Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data.
[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Common Weakness Enumeration (CWE)
NULL Pointer Dereference
NULL Pointer Dereference
NIST
1.8
CVSS SCORE
5.5mediumDebian
-
CVSS SCORE
N/AlowUbuntu
1.8
CVSS SCORE
5.5mediumRed Hat
1.0
CVSS SCORE
7mediumOracle
-