CVE-2026-23367 Overview
CVE-2026-23367 is an uninitialized memory use vulnerability discovered in the Linux kernel's WiFi radiotap parser. The vulnerability exists in the radiotap namespace handling code, where the iterator->_next_ns_data variable is not properly initialized when undefined field 18 is used. This allows comparison against an uninitialized value, potentially leading to unpredictable kernel behavior.
The radiotap parser, which processes IEEE 802.11 radiotap headers for wireless frame metadata, fails to properly handle unknown radiotap fields. When an undefined field (specifically field 18) is encountered, the parser cannot determine the correct alignment and size, leaving the iterator->_next_ns_data pointer uninitialized. This uninitialized pointer is subsequently used in comparison operations, creating a security vulnerability that was identified by syzbot, the kernel fuzzing tool.
Critical Impact
Uninitialized memory use in the Linux kernel's WiFi radiotap parser could lead to kernel instability, information disclosure, or potentially be leveraged as part of a larger exploit chain targeting wireless subsystem functionality.
Affected Products
- Linux kernel (WiFi radiotap subsystem)
- Systems using wireless networking with radiotap header parsing
- Network monitoring tools relying on kernel radiotap functionality
Discovery Timeline
- March 25, 2026 - CVE-2026-23367 published to NVD
- March 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23367
Vulnerability Analysis
The vulnerability resides in the Linux kernel's radiotap iterator implementation, which parses IEEE 802.11 radiotap headers used to convey per-packet information about wireless frames. The radiotap format uses a bitmask to indicate which fields are present in the header, with each field having defined alignment requirements and sizes.
The core issue stems from improper handling of undefined radiotap fields. The radiotap specification reserves field 18 and other fields for future use, but when the parser encounters these undefined fields, it cannot determine their alignment or size. The variable iterator->_next_ns_data is specifically used for tracking the next namespace data boundary when skipping vendor namespaces, but the code path incorrectly references this variable even when processing undefined fields in the standard radiotap namespace.
This creates a situation where the kernel compares against an uninitialized memory value, leading to undefined behavior. Syzbot, Google's continuous kernel fuzzing infrastructure, detected this issue through its automated testing.
Root Cause
The root cause is an improper initialization of the iterator->_next_ns_data pointer in the radiotap parser. This variable is only set when processing vendor namespaces (for the purpose of skipping them), but the code performs comparisons against this value even when handling undefined fields within the standard radiotap namespace. The fix moves the rejection of unknown radiotap fields to after the in-namespace lookup, ensuring that iterator->_next_ns_data is only used in the context of vendor namespaces where it has been properly initialized.
Attack Vector
The vulnerability can potentially be triggered by crafting malicious WiFi frames containing radiotap headers with undefined field bits set. An attacker within wireless range could send specially crafted packets that include radiotap headers with field 18 or other undefined fields marked as present in the bitmask.
When the kernel's radiotap parser processes these malformed headers, it encounters the undefined field and attempts to use the uninitialized iterator->_next_ns_data value. While the immediate impact may be limited to kernel instability or crashes, uninitialized memory vulnerabilities can sometimes be exploited more severely depending on the memory state at the time of exploitation.
The fix ensures that undefined radiotap fields are rejected at the appropriate point in the parsing logic, after namespace determination, preventing the use of uninitialized values.
Detection Methods for CVE-2026-23367
Indicators of Compromise
- Unexpected kernel panics or crashes related to the wireless subsystem
- Syslog entries indicating memory corruption or uninitialized value warnings in WiFi-related kernel modules
- Unusual wireless frame activity with malformed radiotap headers
Detection Strategies
- Deploy kernel live patching or updated kernel versions containing the security fix
- Monitor kernel logs for warnings from the radiotap parser or wireless subsystem
- Use network intrusion detection systems (NIDS) to identify anomalous WiFi frame structures
- Enable kernel address sanitizer (KASAN) for detection of uninitialized memory access in development environments
Monitoring Recommendations
- Configure system monitoring to alert on wireless subsystem kernel panics
- Review wireless interface logs for parsing errors or unexpected frame handling issues
- Implement kernel crash analysis to identify potential exploitation attempts
- Monitor for unusual patterns in WiFi traffic that may indicate crafted attack frames
How to Mitigate CVE-2026-23367
Immediate Actions Required
- Apply the official kernel patches from the Linux kernel stable branches
- Update to a patched kernel version that includes the radiotap parser fix
- Consider temporarily disabling unnecessary WiFi interfaces on critical systems until patching is complete
- Monitor systems for signs of exploitation or kernel instability
Patch Information
The Linux kernel maintainers have released patches across multiple stable kernel branches to address this vulnerability. The fix modifies the radiotap parser to move the rejection of unknown radiotap fields to after the in-namespace lookup, ensuring iterator->_next_ns_data is only used for vendor namespace handling.
Official kernel patches are available:
- Kernel Patch 129c8bb320
- Kernel Patch 2a60c588d5
- Kernel Patch 2f8ceeba67
- Kernel Patch 703fa979ba
- Kernel Patch c854758abe
- Kernel Patch e664971759
Workarounds
- If immediate patching is not possible, consider disabling WiFi interfaces on systems where wireless connectivity is not required
- Implement network segmentation to limit exposure of vulnerable systems to potentially malicious wireless traffic
- Use wired network connections for critical infrastructure until patches can be applied
- Enable additional kernel hardening options such as KASAN for early detection of memory issues
# Configuration example
# Check current kernel version
uname -r
# Update kernel package (Debian/Ubuntu)
sudo apt update && sudo apt install linux-image-generic
# Update kernel package (RHEL/CentOS/Fedora)
sudo dnf update kernel
# Temporarily disable WiFi interface if not needed
sudo ip link set wlan0 down
# Verify patch status by checking kernel changelog
zcat /usr/share/doc/linux-image-$(uname -r)/changelog.Debian.gz | grep -i radiotap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
