{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23246", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.989Z", "datePublished": "2026-03-18T10:05:08.312Z", "dateUpdated": "2026-05-11T22:03:08.962Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:08.962Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration\n\nlink_id is taken from the ML Reconfiguration element (control & 0x000f),\nso it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS\n(15) elements, so index 15 is out-of-bounds. Skip subelements with\nlink_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds\nwrite."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mlme.c"], "versions": [{"version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c", "lessThan": "650981e718e68005ca2760a6358134b8a98ebea4", "status": "affected", "versionType": "git"}, {"version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c", "lessThan": "bfde158d5d1322c0c2df398a8d1ccce04943be2e", "status": "affected", "versionType": "git"}, {"version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c", "lessThan": "f35ceec54d48e227fa46f8f97fd100a77b8eab15", "status": "affected", "versionType": "git"}, {"version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c", "lessThan": "d58d71c2167601762351962b9604808d3be94400", "status": "affected", "versionType": "git"}, {"version": "8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c", "lessThan": "162d331d833dc73a3e905a24c44dd33732af1fc5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/mlme.c"], "versions": [{"version": "6.5", "status": "affected"}, {"version": "0", "lessThan": "6.5", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/650981e718e68005ca2760a6358134b8a98ebea4"}, {"url": "https://git.kernel.org/stable/c/bfde158d5d1322c0c2df398a8d1ccce04943be2e"}, {"url": "https://git.kernel.org/stable/c/f35ceec54d48e227fa46f8f97fd100a77b8eab15"}, {"url": "https://git.kernel.org/stable/c/d58d71c2167601762351962b9604808d3be94400"}, {"url": "https://git.kernel.org/stable/c/162d331d833dc73a3e905a24c44dd33732af1fc5"}], "title": "wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration\n\nlink_id is taken from the ML Reconfiguration element (control & 0x000f),\nso it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS\n(15) elements, so index 15 is out-of-bounds. Skip subelements with\nlink_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds\nwrite."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mac80211: verificaci\u00f3n de l\u00edmites de link_id en ieee80211_ml_reconfiguration\n\nlink_id se toma del elemento de reconfiguraci\u00f3n ML (control & 0x000f), por lo que puede ser 0..15. link_removal_timeout[] tiene IEEE80211_MLD_MAX_NUM_LINKS (15) elementos, por lo que el \u00edndice 15 est\u00e1 fuera de los l\u00edmites. Omitir subelementos con link_id >= IEEE80211_MLD_MAX_NUM_LINKS para evitar una escritura fuera de los l\u00edmites de la pila."}], "id": "CVE-2026-23246", "lastModified": "2026-04-02T15:16:26.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-18T11:16:16.570", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/162d331d833dc73a3e905a24c44dd33732af1fc5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/650981e718e68005ca2760a6358134b8a98ebea4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bfde158d5d1322c0c2df398a8d1ccce04943be2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d58d71c2167601762351962b9604808d3be94400"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f35ceec54d48e227fa46f8f97fd100a77b8eab15"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Linux kernel: Denial of Service in mac80211 Wi-Fi due to out-of-bounds write", "id": "2448600", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448600"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in the Linux kernel's mac80211 Wi-Fi subsystem. This vulnerability occurs in the ieee80211_ml_reconfiguration function when processing a Multi-Link (ML) Reconfiguration element. An attacker can provide a crafted link_id value that is not properly bounds-checked, leading to an out-of-bounds write on the stack. This can result in a denial of service (DoS), potentially making the system unavailable."], "name": "CVE-2026-23246", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23246\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23246\nhttps://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23246-d29e@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c,bfde158d5d1322c0c2df398a8d1ccce04943be2e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c,f35ceec54d48e227fa46f8f97fd100a77b8eab15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c,d58d71c2167601762351962b9604808d3be94400)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c,162d331d833dc73a3e905a24c44dd33732af1fc5)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T17:11:12.753763+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the bounds\u2011check fix and reinstall the updated package."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw is present in the Linux kernel\u2019s wireless stack. All distributions that ship the upstream kernel without the committed bounds\u2011check are affected. No specific kernel versions are listed in the advisory, so any kernel before the fix commit can be considered vulnerable.", "description_and_impact": "An out-of-bounds write occurs when the mac80211 subsystem processes the ML Reconfiguration element of an IEEE\u202f802.11 frame; the link_id field can be 15 while the link_removal_timeout array only has 15 entries (indices 0\u201114), so writing at index 15 corrupts stack memory. This memory corruption can overwrite kernel data structures and potentially be leveraged to execute arbitrary code with kernel privileges.", "risk_and_exploitability": "The CVSS score of 8.8 signals high severity, and though the EPSS score is below 1%, the risk remains significant. The likely attack vector is a malicious Wi\u2011Fi frame containing an ML Reconfiguration element with an out\u2011of\u2011range link_id; an attacker on the same wireless network could send such a frame to trigger the exploit. The vulnerability is not in CISA\u2019s KEV catalog, however the absence of known exploits does not reduce the urgency of applying the patch."}}}}, "created": "2026-03-19T08:56:45.676416+00:00", "updated": "2026-04-02T20:23:30.758650+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}