Skip to main content

Linux Kernel EUVDEUVD-2026-32793

| CVE-2026-46166 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pqxf-3wq6-69f8
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:59 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: use safe list iteration in radar detect work

The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.

AnalysisAI

Use-after-free in the Linux kernel mac80211 wireless subsystem allows attackers on the adjacent wireless network to corrupt kernel memory by triggering radar detection cancellation paths that free a channel context still being iterated. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile), but the high CVSS reflects severe potential impact on confidentiality, integrity, and availability if exploited. A vendor-released patch is available in stable kernel updates including 6.12.88, 6.18.30, and 7.0.7.

Technical ContextAI

The flaw lives in net/mac80211, the Linux kernel's soft-MAC framework for 802.11 drivers, specifically in the deferred work that performs DFS (Dynamic Frequency Selection) radar detection on regulated 5 GHz channels. The radar-detect worker iterates the list of channel contexts (chanctx) and calls ieee80211_dfs_cac_cancel(), which can free the very chanctx entry currently being iterated and unlink it from the list, producing a classic slab-use-after-free (CWE-416 class, though CWE is marked N/A in the input). The fix converts the loop to a list_for_each_entry_safe-style iteration so the next pointer is cached before the callback can release the current node. The affected code path is reachable on any kernel build with mac80211 and DFS-capable wireless drivers loaded.

RemediationAI

Vendor-released patch: upgrade the kernel to 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (mainline) or later, using the stable commits 120149fb3ebcf, 7577a4b8a10fa, 887ece6c23b49, or ac8eb3e18f41 referenced at git.kernel.org/stable/c/. For distribution kernels, apply the corresponding vendor backport from Debian, Ubuntu, RHEL, SUSE, or your distro's security update channel as soon as it is published. If patching must be delayed on wireless APs or mesh routers, a partial workaround is to operate the radio on non-DFS channels (e.g., 2.4 GHz only, or 5 GHz UNII-1/UNII-3 where regulatory rules allow) so the radar detect worker is never scheduled; the trade-off is reduced 5 GHz spectrum availability and potential regulatory non-compliance in regions that mandate DFS. Disabling mac80211-based wireless entirely on systems that do not need it (rmmod mac80211 plus driver modules, or blacklist in modprobe.d) eliminates the attack surface at the cost of losing WiFi functionality.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy