Skip to main content

Linux CVE-2026-23367

| EUVDEUVD-2026-15350 MEDIUM
2026-03-25 Linux GHSA-mg4x-3g76-43w7
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15350
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: radiotap: reject radiotap with unknown bits

The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipping vendor namespaces), and syzbot points out that we later compare against this uninitialized value.

Fix this by moving the rejection of unknown radiotap fields down to after the in-namespace lookup, so it will really use iterator->_next_ns_data only for vendor namespaces, even in case undefined fields are present.

AnalysisAI

A use-of-uninitialized-variable vulnerability exists in the Linux kernel's radiotap parser that can lead to information disclosure when processing radiotap frames with undefined fields. The vulnerability affects all Linux kernel versions using the radiotap namespace parser (cpe:2.3:a:linux:linux) and occurs when undefined radiotap field 18 is present, causing the iterator->_next_ns_data variable to be compared against an uninitialized value. While no CVSS score or EPSS data is currently available and there is no indication of active exploitation, the vulnerability has been patched across multiple kernel branches as evidenced by six distinct commit fixes.

Technical ContextAI

The radiotap protocol is a standardized mechanism for carrying per-packet information about wireless frames in the Linux kernel's wireless subsystem. The vulnerability exists in the radiotap frame parser, which iterates through radiotap namespace fields to extract header information. The root cause is an uninitialized variable (iterator->_next_ns_data) that is only set when processing vendor namespaces but is later compared against when undefined fields are encountered. This represents a classic uninitialized variable use (CWE-Variable class) where control flow fails to initialize a variable before its use in a comparison operation. The parser is used during wireless packet reception and filtering, making it a kernel-level component affecting the entire wireless stack.

RemediationAI

Apply kernel updates that include the radiotap parser fix as soon as feasible within normal maintenance windows. Users should identify their running kernel version via 'uname -r' and update to a patched version from their distribution: Red Hat/CentOS users should apply RHSA advisories for kernel updates, Debian/Ubuntu users should run 'apt update && apt upgrade linux-image' to obtain fixed kernel packages, and SUSE users should apply kernel update packages via 'zypper update kernel'. The Linux kernel.org stable branches (5.15.x, 6.1.x, 6.6.x, 6.12.x and later) all contain the fix. Until patching is completed, systems that do not require wireless functionality or can restrict wireless interface access should do so via 'ip link set <interface> down' or disable wireless modules. For systems requiring wireless operation, filtering malformed radiotap frames at network ingress via firewall rules may reduce exposure, though kernel-level patching remains the definitive remediation.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy