Skip to main content

Linux Kernel CVE-2026-46125

| EUVDEUVD-2026-32884 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xrmp-x8vm-qcmh
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:53 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 8.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: remove station if connection prep fails

If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes.

This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.

AnalysisAI

Use-after-free/double-free in the Linux kernel's mac80211 wireless subsystem affects systems with Multi-Link Operation (MLO) Wi-Fi connections when debugfs is enabled. The flaw occurs when connection preparation fails for MLO connections and the interface is reset to non-MLD without removing the associated station, corrupting debugfs state. EPSS probability is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on adjacent-network reachable systems.

Technical ContextAI

The vulnerability lives in net/mac80211, the Linux soft-MAC 802.11 stack that drives most Wi-Fi chipsets. It specifically involves Multi-Link Operation (MLO), the Wi-Fi 7 / 802.11be feature that lets a single Multi-Link Device (MLD) maintain simultaneous links across multiple bands. When MLO connection preparation fails, the virtual interface is torn down from MLD back to a non-MLD vif, but a station entry tied to the removed link was being retained. Because mac80211 recreates the per-vif debugfs hierarchy on every MLD↔non-MLD transition, the stale station object's debugfs dentries point into freed memory, yielding a use-after-free and potentially a double-free when the entries are cleaned up again. The fix forces deletion of any existing station during this preparation-failure path. CWE is not assigned, but the bug class is CWE-416 (Use After Free) / CWE-415 (Double Free).

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or pick up the corresponding stable backport commits 1c2b72ea89882aeb948340498391e69c58d466f1, 283fc9e44ff5b5ac967439b4951b80bd4299f4e4, 9e28654f79f443bca9b29ff3ae7cf18abfba58a0, afcbaed89cdc1a001b43270cbf5394bb4804270a, or fe75fa1ac9a92990f7fc3d34b17808fd933071b2 from https://git.kernel.org/stable/). On systems where kernel rebuild or update is not immediate, the most effective compensating control is to rebuild without CONFIG_MAC80211_DEBUGFS, which removes the vulnerable code path at the cost of losing mac80211 debug visibility; alternatively, unmount or restrict access to /sys/kernel/debug so only root can reach the dangling dentries (reduces but does not eliminate the kernel-side UAF). Disabling 802.11be MLO at the driver or supplicant level (e.g., wpa_supplicant 'disable_eht=1' or driver module parameters) prevents the MLD↔non-MLD transition that triggers the bug, with the trade-off of forfeiting Wi-Fi 7 multi-link throughput gains.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy