Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only netlink path needing CAP_NET_ADMIN (PR:L) with no user interaction; heap corruption yields high confidentiality, integrity and availability impact within the kernel.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
wifi: nl80211: reject oversized EMA RNR lists
nl80211_parse_rnr_elems() stores the parsed element count in a u8-backed cfg80211_rnr_elems::cnt field and uses that count to size the flexible array allocation.
Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches 255, before incrementing it again. This keeps the parser aligned with the data structure it fills and matches the existing bound check used by nl80211_parse_mbssid_elems().
AnalysisAI
Heap buffer overflow in the Linux kernel's nl80211 WiFi configuration subsystem (cfg80211) allows a local user with network-configuration privileges to corrupt kernel memory by supplying an oversized EMA (Enhanced Multiple BSSID Advertisement) RNR element list. The parser nl80211_parse_rnr_elems() stores its element count in a u8 field and uses it to size a flexible-array allocation, so submitting 256 or more nested NL80211_ATTR_EMA_RNR_ELEMS attributes wraps the counter and produces an undersized allocation that is then overrun. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local code execution and CAP_NET_ADMIN capability to invoke nl80211 AP/beacon configuration commands; the attacker must submit a nested NL80211_ATTR_EMA_RNR_ELEMS attribute list whose element count reaches/exceeds 255 to wrap the u8 cfg80211_rnr_elems::cnt field. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a real-but-locally-scoped memory-corruption bug rather than a remotely wormable one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user (or compromised service) holding CAP_NET_ADMIN - for example inside a privileged container or network namespace - issues an nl80211 command to set beacon/AP parameters with a crafted nested NL80211_ATTR_EMA_RNR_ELEMS list of 256+ elements, wrapping the u8 count and forcing an undersized kernel heap allocation that is then overrun. The resulting out-of-bounds heap write can crash the kernel (DoS) or, with careful heap grooming, be steered toward local privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed stable kernel - 6.1.176, 6.6.143, 6.12.94, 7.0.13, 6.18.36, or mainline 7.1 (or your distribution's build incorporating these commits). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory Linux systems running vulnerable kernel versions and identify those with users holding network-configuration privileges. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39273
GHSA-q6qm-26ch-2w94