CVE-2026-31394
Description
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Linux kernel Affected 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 7.0 | Affected | โ |
| โ | Affected | 6.12.78 |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.85-1 |
| sid | Fixed | 6.19.10-1 |
| forky | Fixed | 6.19.10-1 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 0 |
References
- https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5
- https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6
- https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b
- https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853
- https://www.suse.com/security/cve/CVE-2026-31394.html
- https://security-tracker.debian.org/tracker/CVE-2026-31394
CWEs
CWE-476
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.