CVE-2026-31394

Summary

In the Linux kernel, the following vulnerability has been resolved:

mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations

ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA.

Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data.

[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb27512368591fc959768df1f7dacf2a96b1bd036 < 65c25b588994dd422fea73fa322de56e1ae4a33baffected
LinuxLinuxb27512368591fc959768df1f7dacf2a96b1bd036 < 5a86d4e920d9783a198e39cf53f0e410fba5fbd6affected
LinuxLinuxb27512368591fc959768df1f7dacf2a96b1bd036 < 3c6629e859a2211a1fbb4868f915413f80001ca5affected
LinuxLinuxb27512368591fc959768df1f7dacf2a96b1bd036 < 672e5229e1ecfc2a3509b53adcb914d8b024a853affected
LinuxLinux6.11affected
LinuxLinux0 < 6.11unaffected
LinuxLinux6.12.78 <= 6.12.*unaffected
LinuxLinux6.18.20 <= 6.18.*unaffected
LinuxLinux6.19.10 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References