Volerion logoVolerion
Volerion logoVolerion

Linux Kernel mac80211 Link ID Bounds-Check Vulnerability in ML Reconfiguration

Vulnerability

A vulnerability in the Linux kernel's mac80211 Wi-Fi module has been addressed. The issue arose because the link_id used in the ieee80211_ml_reconfiguration function was not properly bounds-checked. The link_id, which can range from 0 to 15, is derived from the ML Reconfiguration element. However, the link_removal_timeout array only has 15 elements, making index 15 out-of-bounds. To prevent a stack out-of-bounds write, the vulnerability was mitigated by skipping subelements with a link_id of 15 or higher.

Impact

The vulnerability could lead to a stack-based out-of-bounds write, potentially allowing for arbitrary code execution or causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a ML Reconfiguration element that includes a link_id of 15. This will trigger the out-of-bounds write by accessing an invalid index in the link_removal_timeout array.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.

Added: Mar 18, 2026, 11:21 AM
Updated: Mar 18, 2026, 11:21 AM

Vulnerability Rating

Custom Algorithm
spread
9.0
impact
1.9
exploitability
5.7
remediation
7.7
relevance
4.1
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.