CVE-2026-23246 PUBLISHED

wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration

Assigner: Linux
Reserved: 13.01.2026 Published: 18.03.2026 Updated: 18.03.2026

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration

link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c to bfde158d5d1322c0c2df398a8d1ccce04943be2e (excl.) affected from 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c to f35ceec54d48e227fa46f8f97fd100a77b8eab15 (excl.) affected from 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c to d58d71c2167601762351962b9604808d3be94400 (excl.) affected from 8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c to 162d331d833dc73a3e905a24c44dd33732af1fc5 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.5 is affected unaffected from 0 to 6.5 (excl.) unaffected from 6.12.77 to 6.12.* (incl.) unaffected from 6.18.17 to 6.18.* (incl.) unaffected from 6.19.7 to 6.19.* (incl.) unaffected from 7.0-rc2 to * (incl.)

CVE-2026-23246 PUBLISHED

wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration

Product Status

References