Skip to main content

Linux CVE-2026-23246

| EUVDEUVD-2026-12809 HIGH
2026-03-18 Linux
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 10:30 euvd
EUVD-2026-12809
Analysis Generated
Mar 18, 2026 - 10:30 vuln.today
CVE Published
Mar 18, 2026 - 10:05 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration

link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.

AnalysisAI

A stack out-of-bounds write vulnerability exists in the Linux kernel's mac80211 WiFi subsystem in the ieee80211_ml_reconfiguration function, where the link_id parameter extracted from the ML Reconfiguration element is not properly bounds-checked before being used as an array index. The vulnerability affects Linux kernel versions across multiple release branches (6.5 through 7.0-rc2), allowing an attacker with network proximity to craft a malicious WiFi frame to trigger a buffer overflow and potentially cause denial of service or code execution. While no CVSS score or EPSS data is currently published, the vulnerability has been assigned EUVD-2026-12809 and patches are available across stable kernel branches.

Technical ContextAI

This vulnerability resides in the Linux kernel's mac80211 subsystem, which implements IEEE 802.11 WiFi protocol handling. Specifically, the ieee80211_ml_reconfiguration function processes the ML (Multi-Link) Reconfiguration element from incoming WiFi management frames during WiFi mesh or multi-link device operations. The CWE classification is Buffer Overflow (implicit from 'stack out-of-bounds write'). The root cause is that link_id is extracted from an untrusted protocol field (control & 0x000f) without validation, yielding values 0-15. However, the link_removal_timeout array is allocated with only IEEE80211_MLD_MAX_NUM_LINKS (15) elements, meaning valid indices are 0-14. When link_id equals 15, the code writes out-of-bounds to the stack, corrupting adjacent memory and potentially enabling privilege escalation or denial of service attacks via crafted wireless frames received by any device running vulnerable kernel versions.

RemediationAI

Users must upgrade to patched kernel versions immediately: Linux 6.12.77 or later for the 6.12.x branch, Linux 6.18.17 or later for the 6.18.x branch, Linux 6.19.7 or later for the 6.19.x branch, or Linux 7.0 final release or later. Distributions should apply the corresponding patches from https://git.kernel.org/stable/c/bfde158d5d1322c0c2df398a8d1ccce04943be2e and the related commit URLs. Until patching is feasible, mitigation options are limited due to the network-adjacent attack vector; however, disabling WiFi multi-link device features or mesh networking in kernel configurations can reduce exposure. Network segmentation to isolate WiFi-capable systems or restricting WiFi SSID broadcast and access control lists provides defensive depth but not complete protection. Administrators should prioritize kernel patching as the primary remediation, testing patches in non-production environments before rollout to ensure stability.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky vulnerable 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy