CVE-2026-31394

A vulnerability in the Linux kernel's mac80211 subsystem can cause a NULL pointer dereference and system crash when a channel switch announcement (CSA) is processed on an interface that has WDS (4addr) clients attached via an AP_VLAN. The bug occurs in ieee80211_chan_bw_change(), which iterates all stations and dereferences link->reserved.oper using the station's sdata pointer. For stations associated with AP_VLAN interfaces, sta->sdata points to the VLAN sdata, whose link data is never initialized for channel reservation contexts, leaving chan as NULL [1][2][3][4].

An attacker who can trigger a CSA on the wireless network (e.g., via crafted beacon or action frames) can exploit this crash. No authentication is required if the attacker is within radio range and can inject management frames, though in practice the attacker must control an access point or have the ability to trigger a channel switch. The crash is deterministic and occurs in __ieee80211_sta_cap_rx_bw() when it accesses chandef->chan->band [1].

The impact is a denial of service (kernel panic) on the system running the vulnerable kernel. This can disrupt all wireless services on the affected machine. The vulnerability is rated Medium (CVSS 5.5) due to the requirement of a specific attack scenario (CSA trigger) and local proximity [1][2][3][4].

The fix resolves the issue by resolving the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data [1]. Patches are available in the stable kernel trees; administrators should apply the corresponding kernel update as soon as possible. No workaround is known besides disabling 4-address WDS/AP_VLAN mode or blocking CSA frames at the firewall if feasible.