Linux kernel: NULL deref in ieee80211_chan_bw_change AP_VLAN stations
CVE-2026-31394 Published on April 3, 2026
mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
In the Linux kernel, the following vulnerability has been resolved:
mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
ieee80211_chan_bw_change() iterates all stations and accesses
link->reserved.oper via sta->sdata->link[link_id]. For stations on
AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to
the VLAN sdata, whose link never participates in chanctx reservations.
This leaves link->reserved.oper zero-initialized with chan == NULL,
causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()
when accessing chandef->chan->band during CSA.
Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()
before accessing link data.
[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Products Associated with CVE-2026-31394
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 65c25b588994dd422fea73fa322de56e1ae4a33b is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 5a86d4e920d9783a198e39cf53f0e410fba5fbd6 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 3c6629e859a2211a1fbb4868f915413f80001ca5 is affected.
- Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and below 672e5229e1ecfc2a3509b53adcb914d8b024a853 is affected.
- Version 6.12.78, <= 6.12.* is unaffected.
- Version 6.18.20, <= 6.18.* is unaffected.
- Version 6.19.10, <= 6.19.* is unaffected.
- Version 7.0-rc5, <= * is unaffected.