CVE-2026-46166 Linux CVE debrief

Who should care

Organizations running Linux systems with wireless interfaces utilizing DFS radar detection, particularly in enterprise Wi-Fi deployments, regulatory domains requiring DFS, and embedded/IoT devices with mac80211-based wireless stacks.

Technical summary

The vulnerability exists in the mac80211 subsystem's radar detection work handler. During list iteration over channel contexts, the call to `ieee80211_dfs_cac_cancel` can free and remove the currently iterated channel context from the list. Without safe iteration primitives, this results in a slab-use-after-free when the iterator proceeds to the next element. The resolution implements safe list iteration to handle concurrent modification during traversal.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor vendor security advisories for kernel package updates
• If running custom kernel builds, cherry-pick the referenced stable commits
• Review systems utilizing DFS (Dynamic Frequency Selection) radar detection functionality for priority patching

Evidence notes

The vulnerability description indicates a classic use-after-free pattern in kernel list traversal. The fix involves converting to safe list iteration primitives (likely `list_for_each_entry_safe` or equivalent) in the radar detection work function. Multiple stable kernel branches received backports of this fix.

Official resources