CVE-2026-31394 Overview
CVE-2026-31394 is a NULL pointer dereference vulnerability in the Linux kernel's mac80211 wireless subsystem. The flaw resides in ieee80211_chan_bw_change(), which iterates over all stations and accesses link->reserved.oper through sta->sdata->link[link_id]. For stations attached to AP_VLAN interfaces such as 4addr WDS clients, sta->sdata references the VLAN sdata whose link never participates in channel context reservations. The result is a zero-initialized link->reserved.oper with chan == NULL, which triggers a NULL pointer dereference inside __ieee80211_sta_cap_rx_bw() when it reads chandef->chan->band during a Channel Switch Announcement (CSA). The fix resolves the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data.
Critical Impact
A kernel-mode NULL pointer dereference triggered during CSA on access points with AP_VLAN/4addr WDS stations causes a kernel crash and denial of service on affected wireless hosts.
Affected Products
- Linux kernel mac80211 subsystem (upstream)
- Linux distributions running affected stable kernel branches prior to the fix commits
- Wireless access points and routers using AP_VLAN interfaces with 4addr WDS clients
Discovery Timeline
- 2026-04-03 - CVE-2026-31394 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-31394
Vulnerability Analysis
The vulnerability is a NULL pointer dereference [CWE-476] in the Linux kernel mac80211 driver. During a Channel Switch Announcement, ieee80211_chan_bw_change() walks the station list to recompute receive bandwidth capabilities for each associated station. The function dereferences the per-link reserved.oper channel definition through the station's sdata pointer. AP_VLAN sdata objects do not participate in channel context reservations, so their link structures remain zero-initialized. When the kernel reaches __ieee80211_sta_cap_rx_bw() and reads chandef->chan->band, the chan pointer is NULL and the kernel oopses.
The crash path is reachable on any system operating as a wireless access point with at least one AP_VLAN interface hosting 4-address (WDS) client stations when a CSA is initiated. Since CSA can be triggered by regulatory events, radar detection (DFS), or administrative reconfiguration, the trigger conditions occur in normal operation rather than only under attacker control.
Root Cause
The root cause is an incorrect sdata resolution. The code assumes that sta->sdata always references an sdata that owns valid channel context reservations. For stations attached to AP_VLAN interfaces, sta->sdata points at the VLAN sdata, not the parent AP sdata that holds the operational channel definition. The VLAN sdata's link[link_id]->reserved.oper.chan remains NULL, and the function dereferences it without a guard.
Attack Vector
The local attack surface is limited. Triggering the crash requires the access point to perform a channel switch while AP_VLAN/4addr stations are associated. A local administrator with the ability to initiate channel switches, or a co-located radio source that forces DFS-driven channel changes, can reach the vulnerable path. The vulnerability does not expose memory contents or grant code execution; impact is restricted to availability of the wireless subsystem and the host kernel.
No public proof-of-concept is available. The flaw was identified and remediated through upstream kernel maintenance. Technical details are documented in the upstream commits referenced below.
Detection Methods for CVE-2026-31394
Indicators of Compromise
- Kernel oops or panic messages referencing ieee80211_chan_bw_change or __ieee80211_sta_cap_rx_bw in dmesg or /var/log/kern.log.
- Unexpected wireless interface resets or hostapd restarts coinciding with channel switch events.
- System crash signatures captured by kdump or pstore that include the mac80211 call path during CSA processing.
Detection Strategies
- Inventory running kernel versions across Linux fleets and compare against the fixed commits: 3c6629e859a2, 5a86d4e920d9, 65c25b588994, and 672e5229e1ec.
- Identify hosts configured with AP_VLAN interfaces and 4addr WDS clients, since these are the only systems that reach the vulnerable code path.
- Correlate kernel crash telemetry with CSA events logged by hostapd or iw event to confirm causality.
Monitoring Recommendations
- Centralize kernel logs and alert on stack traces containing mac80211 symbols around CSA operations.
- Track host uptime regressions on wireless infrastructure to surface repeated crash-reboot cycles.
- Monitor DFS and regulatory channel-change events on outdoor and 5 GHz deployments where CSA is more frequent.
How to Mitigate CVE-2026-31394
Immediate Actions Required
- Apply the upstream mac80211 patches that introduce get_bss_sdata() resolution before accessing link data in ieee80211_chan_bw_change().
- Update to a Linux stable kernel release that includes commits 3c6629e859a2, 5a86d4e920d9, 65c25b588994, or 672e5229e1ec.
- Coordinate with distribution vendors to obtain backported packages for long-term support kernels.
Patch Information
The fix resolves the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data, ensuring link->reserved.oper.chan is valid before dereference. The patch also adjusts the sta->sdata reference inside ARRAY_SIZE for consistency. Patch details are available in the upstream commits: Kernel Git Commit 3c6629e8, Kernel Git Commit 5a86d4e9, Kernel Git Commit 65c25b58, and Kernel Git Commit 672e5229.
Workarounds
- Disable AP_VLAN interfaces or remove 4addr/WDS client configurations on affected hosts until patches are deployed.
- Avoid initiating administrative channel switches on access points running unpatched kernels.
- Where feasible, operate on non-DFS channels to reduce the frequency of automatic CSA triggers.
# Verify the running kernel version and check for the fix
uname -r
# Inspect AP_VLAN interfaces that could expose the vulnerable path
iw dev | grep -E 'Interface|type'
# Review recent kernel crash traces for mac80211 references
dmesg -T | grep -iE 'mac80211|ieee80211_chan_bw_change'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
