{ "threat_severity" : "Moderate", "public_date" : "2026-03-18T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Denial of Service in mac80211 Wi-Fi due to out-of-bounds write", "id" : "2448600", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2448600" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "status" : "draft" }, "cwe" : "CWE-787", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration\nlink_id is taken from the ML Reconfiguration element (control & 0x000f),\nso it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS\n(15) elements, so index 15 is out-of-bounds. Skip subelements with\nlink_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds\nwrite.", "A flaw was found in the Linux kernel's mac80211 Wi-Fi subsystem. This vulnerability occurs in the ieee80211_ml_reconfiguration function when processing a Multi-Link (ML) Reconfiguration element. An attacker can provide a crafted link_id value that is not properly bounds-checked, leading to an out-of-bounds write on the stack. This can result in a denial of service (DoS), potentially making the system unavailable." ], "statement" : "A stack out of bounds write in mac80211 can occur when parsing the ML Reconfiguration element because link_id can be 15 while link_removal_timeout only has 15 entries indexed 0 to 14. A nearby attacker can potentially trigger this by injecting crafted 80211 management frames that include ML Reconfiguration subelements with an invalid link_id. For the CVSS the PR:N is used for the upper boundary score level because the attacker does not need any privileges and only needs radio proximity to the WiFi interface that processes such frames. The issue is adjacency network reachable over the wireless medium rather than the public Internet. Impact is at least denial of service via kernel crash. For the CIA of the CVSS only considering A:H, but still considering a limited integrity impact possibility because the bug class is a stack out of bounds write and may be exploitable in some environments.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23246\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23246\nhttps://lore.kernel.org/linux-cve-announce/2026031817-CVE-2026-23246-d29e@gregkh/T" ], "name" : "CVE-2026-23246", "csaw" : false }