CVE-2026-23246
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check on link_id in the Linux kernel's mac80211 leads to a stack out-of-bounds write, potentially allowing privilege escalation.
Root
Cause
The vulnerability resides in the ieee80211_ml_reconfiguration function in the Linux kernel's mac80211 subsystem. The link_id value, extracted from the ML Reconfiguration element (control & 0x000f), can range from 0 to 15. However, the link_removal_timeout[] array is sized to IEEE80211_MLD_MAX_NUM_LINKS (15 elements), meaning index 15 is out-of-bounds. This lack of bounds checking can result in a stack out-of-bounds write [1][2].
Exploitation
An attacker must be able to transmit a crafted Multi-Link Reconfiguration element to a station that processes it. This typically requires the attacker to be within radio range and authenticated as a client. By supplying a link_id of 15 (or higher), an out-of-bounds write occurs on the stack, corrupting adjacent memory [3].
Impact
A successful exploit can corrupt kernel memory, potentially leading to denial of service or privilege escalation. The CVSSv3 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, though the attack complexity is low and no privileges are required but user interaction may be limited [description].
Mitigation
The fix, which adds a bounds check to skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS, has been applied to stable kernel trees. Administrators should update to patched versions as soon as possible [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/162d331d833dc73a3e905a24c44dd33732af1fc5nvd
- git.kernel.org/stable/c/650981e718e68005ca2760a6358134b8a98ebea4nvd
- git.kernel.org/stable/c/bfde158d5d1322c0c2df398a8d1ccce04943be2envd
- git.kernel.org/stable/c/d58d71c2167601762351962b9604808d3be94400nvd
- git.kernel.org/stable/c/f35ceec54d48e227fa46f8f97fd100a77b8eab15nvd
News mentions
0No linked articles in our index yet.