VDB
GHSA-96f2-8m7p-q7j4
GHSA-96f2-8m7p-q7j4
PUBLISHED
CVSS 8.699999809265137 HIGH
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Risk Scores
CVSS v4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Exploit Intelligence
- EUVD-2026-18770.json (github-poc)
- 4593.2.0.yml (github-poc)
- 4628.1.0.yml (github-poc)
Timeline
- Apr 3, 2026 CVE Published
- Apr 10, 2026 Security Advisory
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-31394 advisory
- https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5 url
- https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6 url
- https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b url
- https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853 url