CVE-2026-23246

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel mac80211 subsystem with ML (Multi-Link) support

Kernel versions containing ieee80211_ml_reconfiguration function without link_id bounds check

Affected stable kernels: 162d331d833dc73a3e905a24c44dd33732af1fc5

Affected stable kernels: 650981e718e68005ca2760a6358134b8a98ebea4

Affected stable kernels: bfde158d5d1322c0c2df398a8d1ccce04943be2e

Affected stable kernels: f35ceec54d48e227fa46f8f97fd100a77b8eab15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-23246 PoC Concept
// This PoC demonstrates the out-of-bounds write vulnerability in mac80211 ML Reconfiguration
// Attack requires proximity to target WiFi network

#include <linux/skbuff.h>
#include <net/mac80211.h>

// Malicious ML Reconfiguration element construction
struct ieee80211_ml_reconfiguration_elem {
    u8 element_id;
    u8 length;
    u16 control;  // link_id extracted from lower 4 bits (0x000f)
    // ... other fields
} __attribute__((packed));

// Trigger condition: link_id = 15 (0xF) causes OOB write
// link_removal_timeout[] has only 15 elements (indices 0-14)
// Accessing link_removal_timeout[15] triggers stack out-of-bounds write

void trigger_vulnerability(struct ieee80211_sub_if_data *sdata, u8 malicious_link_id) {
    // malicious_link_id should be 15 to trigger OOB
    // The vulnerable code: link_id = control & 0x000f
    // No validation: if (link_id >= IEEE80211_MLD_MAX_NUM_LINKS) return;
    
    // This would cause: link_removal_timeout[15] = value;
    // But array only has 15 elements (0-14), causing OOB write
}

// Note: Actual exploitation requires 802.11 wireless proximity and
// crafted ML Reconfiguration element injection via management frames

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23246
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23246
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23246/
[4] VulDB https://vuldb.com/cve/CVE-2026-23246
[5] https://git.kernel.org/stable/c/162d331d833dc73a3e905a24c44dd33732af1fc5
[6] https://git.kernel.org/stable/c/650981e718e68005ca2760a6358134b8a98ebea4
[7] https://git.kernel.org/stable/c/bfde158d5d1322c0c2df398a8d1ccce04943be2e
[8] https://git.kernel.org/stable/c/d58d71c2167601762351962b9604808d3be94400
[9] https://git.kernel.org/stable/c/f35ceec54d48e227fa46f8f97fd100a77b8eab15

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23246", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T11:16:16.570", "lastModified": "2026-04-02T15:16:26.923", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration\n\nlink_id is taken from the ML Reconfiguration element (control & 0x000f),\nso it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS\n(15) elements, so index 15 is out-of-bounds. Skip subelements with\nlink_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds\nwrite."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: mac80211: verificación de límites de link_id en ieee80211_ml_reconfiguration\n\nlink_id se toma del elemento de reconfiguración ML (control &amp; 0x000f), por lo que puede ser 0..15. link_removal_timeout[] tiene IEEE80211_MLD_MAX_NUM_LINKS (15) elementos, por lo que el índice 15 está fuera de los límites. Omitir subelementos con link_id &gt;= IEEE80211_MLD_MAX_NUM_LINKS para evitar una escritura fuera de los límites de la pila."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/162d331d833dc73a3e905a24c44dd33732af1fc5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/650981e718e68005ca2760a6358134b8a98ebea4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bfde158d5d1322c0c2df398a8d1ccce04943be2e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d58d71c2167601762351962b9604808d3be94400", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f35ceec54d48e227fa46f8f97fd100a77b8eab15", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}