PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31394 Linux CVE debrief

CVE-2026-31394 is a Linux kernel mac80211 vulnerability that can crash the system during channel bandwidth changes. The bug affects AP_VLAN stations because ieee80211_chan_bw_change() follows sta->sdata->link[...] even when the VLAN sdata does not participate in chanctx reservations, leaving a NULL chan pointer that can be dereferenced in __ieee80211_sta_cap_rx_bw(). The result is a denial-of-service condition on affected wireless systems; the issue is fixed by resolving the VLAN sdata back to its parent AP sdata before accessing link data.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-20
Advisory published
2026-04-03
Advisory updated
2026-05-20

Who should care

Linux administrators, kernel maintainers, and platform teams running affected Linux kernel builds, especially systems that use mac80211-based wireless networking, AP_VLAN interfaces, 4addr/WDS clients, or channel switch announcement (CSA) workflows.

Technical summary

The kernel fix addresses a NULL pointer dereference in mac80211. In ieee80211_chan_bw_change(), station iteration can reach AP_VLAN stations whose sta->sdata points to the VLAN sdata instead of the parent AP sdata. That VLAN link never participates in chanctx reservations, so link->reserved.oper can remain zero-initialized with chan == NULL. When __ieee80211_sta_cap_rx_bw() later accesses chandef->chan->band during CSA, the NULL chan pointer can crash the kernel. NVD marks the weakness as CWE-476 and rates the issue CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). NVD also lists vulnerable Linux kernel ranges including versions starting at 6.11 before 6.12.78, starting at 6.13 before 6.18.20, starting at 6.19 before 6.19.10, and 7.0-rc1 through 7.0-rc4.

Defensive priority

Medium. The bug is locally triggered and requires low privileges, but it can cause a kernel crash and high availability impact on wireless hosts.

Recommended defensive actions

  • Apply the upstream or stable kernel fixes referenced by NVD and your distribution vendor.
  • Prioritize patching systems that use mac80211, AP_VLAN, 4addr/WDS, or CSA-dependent wireless configurations.
  • If you rely on vendor kernels, verify that the fix has been backported rather than assuming the upstream version number alone is sufficient.
  • Monitor affected hosts for unexpected kernel crashes or wireless stack instability until remediation is complete.

Evidence notes

Source description states that ieee80211_chan_bw_change() iterates stations and accesses link->reserved.oper via sta->sdata->link[link_id], but AP_VLAN stations point to VLAN sdata whose link does not participate in chanctx reservations. That leaves link->reserved.oper with chan == NULL and can lead to a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. The described fix resolves the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. NVD lists the record as analyzed, with CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-476, and provides vulnerable version criteria for affected Linux kernel releases.

Official resources

Published 2026-04-03T16:16:37.597Z; last modified 2026-05-20T15:08:26.533Z. Timeline values are taken from the supplied CVE and NVD source data.