VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46166

CVE-2026-46166

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: use safe list iteration in radar detect work

The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.

Affected products

2

Patches

8
ac8eb3e18f41

wifi: mac80211: use safe list iteration in radar detect work

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin BergFixed in 7.1-rc3via kernel-cna
commit
1 file changed · +2 3
  • net/mac80211/util.c+2 3 modified
    diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index b093bc203c8159..2529b01e2cd55c 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3700,11 +3700,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
 
-- 
cgit 1.3-korg
120149fb3ebc

wifi: mac80211: use safe list iteration in radar detect work

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin BergFixed in 7.0.7via kernel-cna
commit
1 file changed · +2 3
  • net/mac80211/util.c+2 3 modified
    diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index b2e6c8b98381bc..6cceaf4bc0d976 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3623,11 +3623,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
 
-- 
cgit 1.3-korg
887ece6c23b4

wifi: mac80211: use safe list iteration in radar detect work

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin BergFixed in 6.12.88via kernel-cna
commit
1 file changed · +2 3
  • net/mac80211/util.c+2 3 modified
    diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 77638e965726c5..5bb9e1d2479f38 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3504,11 +3504,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
 
-- 
cgit 1.3-korg
7577a4b8a10f

wifi: mac80211: use safe list iteration in radar detect work

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBenjamin BergFixed in 6.18.30via kernel-cna
commit
1 file changed · +2 3
  • net/mac80211/util.c+2 3 modified
    diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index c9931537f9d2d3..62e1a37849d043 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3565,11 +3565,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
 
-- 
cgit 1.3-korg
7577a4b8a10f

wifi: mac80211: use safe list iteration in radar detect work

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin Bergvia nvd-ref
commit
1 file changed · +2 3
  • net/mac80211/util.c+2 3 modified
    diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index c9931537f9d2d3..62e1a37849d043 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3565,11 +3565,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
 
-- 
cgit 1.3-korg
120149fb3ebc

wifi: mac80211: use safe list iteration in radar detect work

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin Bergvia nvd-ref
commit
1 file changed · +2 3
  • net/mac80211/util.c+2 3 modified
    diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index b2e6c8b98381bc..6cceaf4bc0d976 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3623,11 +3623,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
 
-- 
cgit 1.3-korg
887ece6c23b4

wifi: mac80211: use safe list iteration in radar detect work

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin Bergvia nvd-ref
commit
1 file changed · +2 3
  • net/mac80211/util.c+2 3 modified
    diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 77638e965726c5..5bb9e1d2479f38 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3504,11 +3504,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
 
-- 
cgit 1.3-korg
ac8eb3e18f41

wifi: mac80211: use safe list iteration in radar detect work

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBenjamin Bergvia nvd-ref
commit
1 file changed · +2 3
  • net/mac80211/util.c+2 3 modified
    diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index b093bc203c8159..2529b01e2cd55c 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3700,11 +3700,11 @@ void ieee80211_dfs_radar_detected_work(struct wiphy *wiphy,
 	struct ieee80211_local *local =
 		container_of(work, struct ieee80211_local, radar_detected_work);
 	struct cfg80211_chan_def chandef;
-	struct ieee80211_chanctx *ctx;
+	struct ieee80211_chanctx *ctx, *tmp;
 
 	lockdep_assert_wiphy(local->hw.wiphy);
 
-	list_for_each_entry(ctx, &local->chanctx_list, list) {
+	list_for_each_entry_safe(ctx, tmp, &local->chanctx_list, list) {
 		if (ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER)
 			continue;
 
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Unsafe list iteration in ieee80211_dfs_radar_detected_work where the body of the loop can free the current chanctx entry, leading to a use-after-free when the iterator advances."

Attack vector

An attacker within radio range can trigger a radar detection event on a wireless channel that is part of an MLO (multi-link operation) context. When the kernel's DFS (Dynamic Frequency Selection) workqueue processes the event via ieee80211_dfs_radar_detected_work, it iterates over the chanctx_list. For each context, the loop may call ieee80211_dfs_cac_cancel, which can free the very chanctx being iterated. Because the original code used list_for_each_entry (unsafe against removal), the freed memory is accessed when the loop advances to the next entry, causing a slab-use-after-free [patch_id=2898127].

Affected code

The vulnerable code is in the function ieee80211_dfs_radar_detected_work in net/mac80211/util.c. The loop iterating local->chanctx_list used list_for_each_entry, which is unsafe when the loop body can free the current entry [patch_id=2898127].

What the fix does

The patch replaces list_for_each_entry with list_for_each_entry_safe in net/mac80211/util.c, adding a temporary pointer (tmp) to hold the next list entry before the current entry is potentially freed [patch_id=2898127]. This ensures that if ieee80211_dfs_cac_cancel removes and frees the current chanctx, the loop can still safely advance to the next entry via the pre-fetched tmp pointer. The change is minimal — only the iterator macro and the addition of the tmp variable — and directly addresses the root cause of the use-after-free.

Preconditions

  • inputA radar detection event must be triggered on a wireless channel that is part of an MLO chanctx.
  • networkAttacker must be within radio range to inject or induce a radar detection signal on the DFS channel.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.