PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23246 Linux CVE debrief

CVE-2026-23246 is a high-severity Linux kernel Wi-Fi/mac80211 vulnerability published on 2026-03-18 and last modified on 2026-04-02. The issue is a missing bounds check in ieee80211_ml_reconfiguration: link_id is derived from the ML Reconfiguration element and can range from 0 to 15, but the link_removal_timeout[] stack array has only 15 elements. As described in the source record, accepting link_id == 15 can lead to an out-of-bounds stack write. The vulnerability is rated CVSS 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Vendor
Linux
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-04-02
Advisory published
2026-03-18
Advisory updated
2026-04-02

Who should care

Linux kernel maintainers, distro security teams, embedded device vendors, and operators of systems that use the kernel Wi-Fi/mac80211 stack should prioritize this issue, especially where wireless management frames may be processed in production environments.

Technical summary

The CVE description states that ieee80211_ml_reconfiguration uses link_id from the ML Reconfiguration element control field (control & 0x000f), which can yield values 0 through 15. The target array, link_removal_timeout[], is sized to IEEE80211_MLD_MAX_NUM_LINKS, which is 15. Because index 15 is outside the valid range, the function could perform an out-of-bounds write on stack memory. The source record indicates the fix is to skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS. The NVD record is marked "Undergoing Analysis."

Defensive priority

High. This is a memory-corruption flaw in a widely deployed kernel networking component, with potential impact to confidentiality, integrity, and availability, and it is reachable via adjacent-wireless attack conditions per the CVSS vector.

Recommended defensive actions

  • Review whether your Linux kernels include the mac80211 ML Reconfiguration code path referenced by the kernel stable commits linked in the source record.
  • Apply the upstream/stable kernel fix that bounds-checks link_id and rejects subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS.
  • Prioritize remediation on systems with Wi-Fi enabled, especially laptops, access points, embedded devices, and other wireless-capable Linux systems.
  • Track distribution advisories and kernel update channels for backported fixes, since the public record does not provide affected version ranges.
  • Validate remediation by confirming the presence of the vendor or distribution patch in your deployed kernel builds.

Evidence notes

All substantive claims in this debrief are taken from the supplied CVE record and its official references. The CVE description explicitly says link_id can be 0..15, link_removal_timeout[] has 15 elements, and index 15 is out-of-bounds, resulting in a stack out-of-bounds write. The CVSS vector in the source record is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The NVD record status is "Undergoing Analysis." The provided references point to official Linux kernel stable commits, which support the remediation guidance.

Official resources

Public CVE record published 2026-03-18T11:16:16.570Z and modified 2026-04-02T15:16:26.923Z. This debrief uses the published CVE metadata, the description provided in the source corpus, and the official references listed with the record.