CVE-2026-31394 Overview
CVE-2026-31394 is a null pointer dereference vulnerability in the Linux kernel's mac80211 wireless networking subsystem. The vulnerability exists in the ieee80211_chan_bw_change() function, which crashes when processing channel bandwidth changes for stations connected via AP_VLAN interfaces, specifically affecting 4addr WDS (Wireless Distribution System) clients.
The flaw occurs because the function iterates through all stations and attempts to access link->reserved.oper via sta->sdata->link[link_id]. However, for stations on AP_VLAN interfaces, sta->sdata points to the VLAN sdata structure whose link never participates in channel context reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, resulting in a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when the code attempts to access chandef->chan->band during Channel Switch Announcement (CSA) operations.
Critical Impact
Kernel crash and denial of service condition affecting wireless access points using AP_VLAN interfaces for 4addr WDS client connections during channel switch operations.
Affected Products
- Linux Kernel mac80211 wireless subsystem
- Linux-based wireless access points with AP_VLAN support
- Systems utilizing 4addr WDS client configurations
Discovery Timeline
- April 3, 2026 - CVE-2026-31394 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31394
Vulnerability Analysis
This null pointer dereference vulnerability is located in the mac80211 kernel subsystem, which implements the IEEE 802.11 wireless LAN protocol stack. The vulnerable function ieee80211_chan_bw_change() is responsible for handling channel bandwidth changes, a critical operation during Channel Switch Announcements (CSA) used when an access point needs to change its operating channel.
The core issue stems from improper handling of the station data structure pointer (sta->sdata) for AP_VLAN interfaces. When a station connects via an AP_VLAN interface (commonly used for 4-address WDS links), the sta->sdata pointer references the VLAN's software data structure rather than the parent access point's sdata. Unlike the parent AP sdata, the VLAN sdata's link structures do not participate in channel context (chanctx) reservations, leaving the reserved.oper field uninitialized.
When __ieee80211_sta_cap_rx_bw() is subsequently called during a channel switch operation, it dereferences chandef->chan->band where chan is NULL, causing an immediate kernel crash. This denial of service condition affects the entire system, as the crash occurs in kernel space.
Root Cause
The root cause is the failure to resolve AP_VLAN sdata structures to their parent AP sdata before accessing link reservation data. The ieee80211_chan_bw_change() function directly uses sta->sdata->link[link_id] without first calling get_bss_sdata() to obtain the correct BSS (Basic Service Set) sdata that contains valid channel context reservation information.
The fix involves resolving the VLAN sdata to its parent AP sdata using the get_bss_sdata() helper function before accessing link data, ensuring that the code always operates on properly initialized channel context reservation structures.
Attack Vector
The vulnerability can be triggered locally on systems running as wireless access points with AP_VLAN configurations. An attacker would need to be able to initiate or cause a Channel Switch Announcement (CSA) while 4addr WDS clients are connected via AP_VLAN interfaces. This could potentially be achieved by:
- A malicious authenticated client triggering radar detection events (for DFS channels)
- Sending crafted management frames that cause channel changes
- Exploiting legitimate channel switch functionality in multi-AP deployments
The attack results in a kernel panic, causing system unavailability and requiring a reboot to restore service. While this is primarily a denial of service condition, the NULL pointer dereference occurs in kernel context which could have security implications depending on the specific kernel configuration and memory layout.
Detection Methods for CVE-2026-31394
Indicators of Compromise
- Kernel panic or oops messages referencing ieee80211_chan_bw_change or __ieee80211_sta_cap_rx_bw functions
- System crashes occurring during wireless channel switch operations
- Unexpected access point reboots correlating with CSA events while AP_VLAN clients are connected
- Kernel log messages showing NULL pointer dereference in mac80211 module
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for NULL pointer dereference errors in mac80211-related functions
- Implement crash dump analysis to identify the specific call stack involving ieee80211_chan_bw_change
- Deploy SentinelOne Singularity XDR for real-time kernel-level monitoring and anomaly detection
- Use kernel tracing tools (ftrace, perf) to monitor mac80211 function calls during channel switch events
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture diagnostic information when crashes occur
- Monitor wireless interface status and connection counts for AP_VLAN interfaces
- Implement alerting on unexpected wireless access point restarts
- Track Channel Switch Announcement frequency and timing for anomalous patterns
How to Mitigate CVE-2026-31394
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- If updates are not immediately possible, consider temporarily disabling AP_VLAN functionality if operationally feasible
- Monitor for kernel crashes and ensure crash dump collection is enabled for forensic analysis
- Review wireless configuration and limit exposure of affected AP_VLAN interfaces
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix modifies ieee80211_chan_bw_change() to use get_bss_sdata() to resolve VLAN sdata structures to their parent AP sdata before accessing link reservation data. Multiple kernel stable branches have received the fix:
- Kernel Git Commit 3c6629e8
- Kernel Git Commit 5a86d4e9
- Kernel Git Commit 65c25b58
- Kernel Git Commit 672e5229
Workarounds
- Avoid using AP_VLAN interfaces with 4addr WDS clients until patches are applied
- Minimize channel switch operations on affected access points during high-traffic periods
- Implement network redundancy to maintain connectivity if an AP crashes
- Consider using alternative isolation mechanisms that don't rely on AP_VLAN interfaces
# Check current kernel version for vulnerability assessment
uname -r
# Verify if the patched commit is present in your kernel
# Look for commits containing the ieee80211_chan_bw_change fix
git log --oneline --grep="ieee80211_chan_bw_change" /path/to/kernel/source
# Monitor for potential exploitation attempts
dmesg -w | grep -E "(mac80211|ieee80211_chan_bw_change|NULL pointer)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
