CVE-2026-31394

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel's mac80211 component, specifically within the ieee80211 chan bw change() function. This function iterates through stations and accesses link->reserved.oper via sta->sdata->link[link id]. For stations on AP VLAN interfaces, sta->sdata points to a VLAN sdata, which doesn't participate in channel context reservations, leading to a zero-initialized link->reserved.oper with chan being NULL. This results in a NULL pointer dereference within ieee80211 sta cap rx bw() when accessing chandef->chan->band during Channel State Announcement (CSA).

Recommendations Resolve the VLAN sdata to its parent AP sdata using get bss sdata() before accessing link data.