Skip to main content

Linux CVE-2026-31394

| EUVDEUVD-2026-18770 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-03 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 20, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
3c6629e859a2211a1fbb4868f915413f80001ca5,5a86d4e920d9783a198e39cf53f0e410fba5fbd6,65c25b588994dd422fea73fa322de56e1ae4a33b
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18770
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations

ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA.

Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data.

[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]

AnalysisAI

Null pointer dereference in Linux kernel mac80211 IEEE 802.11 wireless subsystem crashes AP_VLAN stations during channel bandwidth change operations. The ieee80211_chan_bw_change() function incorrectly accesses link data on VLAN interfaces (such as 4-address WDS clients) where the link structure is uninitialized, leading to kernel panic when dereferencing a NULL channel pointer. Any system with AP_VLAN wireless configurations and active channel state announcement (CSA) operations is vulnerable to local denial of service.

Technical ContextAI

The vulnerability exists in the Linux kernel's mac80211 IEEE 802.11 wireless stack, specifically in the ieee80211_chan_bw_change() function used during channel bandwidth change and CSA (Channel Switch Announcement) processing. The root cause is a logic error in link data traversal: when iterating stations, the code accesses link->reserved.oper via sta->sdata->link[link_id], but for AP_VLAN interface stations, sta->sdata points to a VLAN sdata structure rather than the parent AP interface. VLAN sdata links do not participate in chanctx (channel context) reservations, leaving the link->reserved.oper structure zero-initialized with a NULL chan pointer. When __ieee80211_sta_cap_rx_bw() subsequently attempts to access chandef->chan->band, the NULL pointer dereference triggers a kernel crash. The fix involves resolving VLAN sdata to their parent AP sdata using get_bss_sdata() before accessing link-specific data structures.

RemediationAI

Apply the kernel patch addressing the mac80211 link data access logic. The upstream fix is available via the kernel stable branches at git.kernel.org/stable with the four commits listed in references. Users should upgrade to patched kernel versions: 5.10.x (after 65c25b588994dd422fea73fa322de56e1ae4a33b), 5.15.x (after 5a86d4e920d9783a198e39cf53f0e410fba5fbd6), 6.1.x (after 3c6629e859a2211a1fbb4868f915413f80001ca5), or 6.6.x (after 672e5229e1ecfc2a3509b53adcb914d8b024a853). As an interim workaround on systems with AP_VLAN configurations, disable channel bandwidth change operations or avoid triggering CSA on VLAN-configured access points until patching is possible. Long-term mitigation requires kernel rebuild and redeployment with the patch integrated.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy