{"id":"CVE-2026-31394","summary":"mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations\n\nieee80211_chan_bw_change() iterates all stations and accesses\nlink-\u003ereserved.oper via sta-\u003esdata-\u003elink[link_id]. For stations on\nAP_VLAN interfaces (e.g. 4addr WDS clients), sta-\u003esdata points to\nthe VLAN sdata, whose link never participates in chanctx reservations.\nThis leaves link-\u003ereserved.oper zero-initialized with chan == NULL,\ncausing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()\nwhen accessing chandef-\u003echan-\u003eband during CSA.\n\nResolve the VLAN sdata to its parent AP sdata using get_bss_sdata()\nbefore accessing link data.\n\n[also change sta-\u003esdata in ARRAY_SIZE even if it doesn't matter]","modified":"2026-06-04T09:14:21.841952191Z","published":"2026-04-03T15:15:58.806Z","related":["SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:2238-1","openSUSE-SU-2026:20826-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31394.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31394.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31394"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b27512368591fc959768df1f7dacf2a96b1bd036"},{"fixed":"65c25b588994dd422fea73fa322de56e1ae4a33b"},{"fixed":"5a86d4e920d9783a198e39cf53f0e410fba5fbd6"},{"fixed":"3c6629e859a2211a1fbb4868f915413f80001ca5"},{"fixed":"672e5229e1ecfc2a3509b53adcb914d8b024a853"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31394.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.11.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.20"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31394.json"}}],"schema_version":"1.7.5"}