{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31394", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.085Z", "datePublished": "2026-04-03T15:15:58.806Z", "dateUpdated": "2026-05-11T22:07:51.015Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:51.015Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations\n\nieee80211_chan_bw_change() iterates all stations and accesses\nlink->reserved.oper via sta->sdata->link[link_id]. For stations on\nAP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to\nthe VLAN sdata, whose link never participates in chanctx reservations.\nThis leaves link->reserved.oper zero-initialized with chan == NULL,\ncausing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()\nwhen accessing chandef->chan->band during CSA.\n\nResolve the VLAN sdata to its parent AP sdata using get_bss_sdata()\nbefore accessing link data.\n\n[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/chan.c"], "versions": [{"version": "b27512368591fc959768df1f7dacf2a96b1bd036", "lessThan": "65c25b588994dd422fea73fa322de56e1ae4a33b", "status": "affected", "versionType": "git"}, {"version": "b27512368591fc959768df1f7dacf2a96b1bd036", "lessThan": "5a86d4e920d9783a198e39cf53f0e410fba5fbd6", "status": "affected", "versionType": "git"}, {"version": "b27512368591fc959768df1f7dacf2a96b1bd036", "lessThan": "3c6629e859a2211a1fbb4868f915413f80001ca5", "status": "affected", "versionType": "git"}, {"version": "b27512368591fc959768df1f7dacf2a96b1bd036", "lessThan": "672e5229e1ecfc2a3509b53adcb914d8b024a853", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mac80211/chan.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b"}, {"url": "https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6"}, {"url": "https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5"}, {"url": "https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853"}], "title": "mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations\n\nieee80211_chan_bw_change() iterates all stations and accesses\nlink->reserved.oper via sta->sdata->link[link_id]. For stations on\nAP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to\nthe VLAN sdata, whose link never participates in chanctx reservations.\nThis leaves link->reserved.oper zero-initialized with chan == NULL,\ncausing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()\nwhen accessing chandef->chan->band during CSA.\n\nResolve the VLAN sdata to its parent AP sdata using get_bss_sdata()\nbefore accessing link data.\n\n[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]"}], "id": "CVE-2026-31394", "lastModified": "2026-04-07T13:20:55.200", "metrics": {}, "published": "2026-04-03T16:16:37.597", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations", "id": "2454814", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454814"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in the Linux kernel's mac80211 component. This vulnerability occurs when processing stations on AP_VLAN interfaces, such as 4-address Wireless Distribution System (WDS) clients. An attacker could trigger a null pointer dereference during Channel Switch Announcement (CSA) operations, leading to a system crash and a Denial of Service (DoS)."], "name": "CVE-2026-31394", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31394\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31394\nhttps://lore.kernel.org/linux-cve-announce/2026040325-CVE-2026-31394-26ac@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,65c25b588994dd422fea73fa322de56e1ae4a33b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5a86d4e920d9783a198e39cf53f0e410fba5fbd6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3c6629e859a2211a1fbb4868f915413f80001ca5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,672e5229e1ecfc2a3509b53adcb914d8b024a853)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-04T04:06:20.004736+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the fix for CVE-2026-31394.", "Verify the running kernel version with `uname -r` and confirm it matches a patched release.", "If a patch is not yet available, disable AP_VLAN (4\u2011address WDS) traffic on the wireless interface until a patched kernel can be installed.", "Monitor system logs (e.g., dmesg or /var/log/kern.log) for indications of kernel OOPS or panic events related to ieee80211_chan_bw_change."], "summary": {"action": "Apply patch", "impact": "Kernel crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Linux kernel implementations that contain the unpatched mac80211 code and operate with AP_VLAN (4\u2011address WDS) interfaces. Because no specific version range is listed, any kernel prior to the application of the fix commit is potentially vulnerable. The vendor is Linux and the product is the Linux kernel.", "description_and_impact": "A null pointer dereference occurs in the mac80211 subsystem of the Linux kernel when an AP_VLAN station undergoes a channel width change. During the transition, the driver accesses link data that is uninitialized for VLAN interfaces, leading to a dereference of a null pointer in __ieee80211_sta_cap_rx_bw(). The result is a kernel panic, which manifests as a system crash or reboot.", "risk_and_exploitability": "The CVSS score of 7.0 indicates high severity. No EPSS score is available, and it is not listed in CISA\u2019s KEV catalog. The likely attack vector is through crafted IEEE 802.11 traffic directed at the vulnerable driver; an attacker would need to send such traffic to a device running the affected kernel. The vulnerability does not provide a path to remote code execution, but it can cause a denial of service by crashing the system."}}}}, "created": "2026-04-03T21:13:19.098118+00:00", "updated": "2026-04-07T07:16:56.732416+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}