Skip to main content

Linux Kernel CVE-2026-53182

| EUVDEUVD-2026-39273 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q6qm-26ch-2w94
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local-only netlink path needing CAP_NET_ADMIN (PR:L) with no user interaction; heap corruption yields high confidentiality, integrity and availability impact within the kernel.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:23 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: nl80211: reject oversized EMA RNR lists

nl80211_parse_rnr_elems() stores the parsed element count in a u8-backed cfg80211_rnr_elems::cnt field and uses that count to size the flexible array allocation.

Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches 255, before incrementing it again. This keeps the parser aligned with the data structure it fills and matches the existing bound check used by nl80211_parse_mbssid_elems().

AnalysisAI

Heap buffer overflow in the Linux kernel's nl80211 WiFi configuration subsystem (cfg80211) allows a local user with network-configuration privileges to corrupt kernel memory by supplying an oversized EMA (Enhanced Multiple BSSID Advertisement) RNR element list. The parser nl80211_parse_rnr_elems() stores its element count in a u8 field and uses it to size a flexible-array allocation, so submitting 256 or more nested NL80211_ATTR_EMA_RNR_ELEMS attributes wraps the counter and produces an undersized allocation that is then overrun. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local CAP_NET_ADMIN access
Delivery
Craft nl80211 set-beacon request
Exploit
Submit 256+ EMA RNR elements
Execution
Wrap u8 count, undersize allocation
Persist
Out-of-bounds heap write
Impact
Kernel corruption: DoS or privilege escalation

Vulnerability AssessmentAI

Exploitation Requires local code execution and CAP_NET_ADMIN capability to invoke nl80211 AP/beacon configuration commands; the attacker must submit a nested NL80211_ATTR_EMA_RNR_ELEMS attribute list whose element count reaches/exceeds 255 to wrap the u8 cfg80211_rnr_elems::cnt field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a real-but-locally-scoped memory-corruption bug rather than a remotely wormable one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user (or compromised service) holding CAP_NET_ADMIN - for example inside a privileged container or network namespace - issues an nl80211 command to set beacon/AP parameters with a crafted nested NL80211_ATTR_EMA_RNR_ELEMS list of 256+ elements, wrapping the u8 count and forcing an undersized kernel heap allocation that is then overrun. The resulting out-of-bounds heap write can crash the kernel (DoS) or, with careful heap grooming, be steered toward local privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed stable kernel - 6.1.176, 6.6.143, 6.12.94, 7.0.13, 6.18.36, or mainline 7.1 (or your distribution's build incorporating these commits). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory Linux systems running vulnerable kernel versions and identify those with users holding network-configuration privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53182 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy