Detections
Analytics

CVE-2026-31394

medium

Description

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]

References

https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853

https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b

https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6

https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5

Details

Source: Mitre, NVD

Published: 2026-04-03

Updated: 2026-04-03

Risk Information

CVSS v2

Base Score: 4.9

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium

EPSS

EPSS: 0.00018