CVE-2026-43052 Overview
CVE-2026-43052 is a Linux kernel vulnerability in the mac80211 wireless subsystem. The flaw resides in the ieee80211_tdls_oper function, which handles Tunneled Direct Link Setup (TDLS) operations. When NL80211_TDLS_ENABLE_LINK is invoked, the code validates that a station entry exists but fails to verify whether the station is actually a TDLS peer. A local authenticated attacker can trigger the operation against a non-TDLS station, modifying channel context and HT protection state before the operation fails. This produces unintended side effects on wireless link state.
Critical Impact
Local users with wireless configuration privileges can disrupt channel context and HT protection state on affected Linux kernels, leading to integrity and availability impact on Wi-Fi connectivity.
Affected Products
- Linux kernel (multiple stable branches)
- Linux kernel 7.0-rc1 through 7.0-rc4
- Systems using mac80211 with TDLS-capable wireless drivers
Discovery Timeline
- 2026-05-01 - CVE-2026-43052 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43052
Vulnerability Analysis
The vulnerability exists in the Linux kernel mac80211 wireless stack within the ieee80211_tdls_oper function. TDLS allows two stations associated with the same access point to establish a direct link without routing frames through the AP. When userspace issues an NL80211_TDLS_ENABLE_LINK command via nl80211, the kernel locates the target station and proceeds with link enablement.
The function performs a presence check on the station entry but omits a check on the sta->sta.tdls flag. As a result, the operation proceeds against regular non-TDLS stations. Before the operation eventually fails, the kernel mutates shared wireless link state including channel context assignments and HT (High Throughput) protection settings.
The upstream fix adds an early sta->sta.tdls check in the ENABLE_LINK case path, rejecting the request before any state mutation occurs.
Root Cause
The root cause is missing input validation on the station type within the ENABLE_LINK case of ieee80211_tdls_oper. The code assumed that any station referenced by a TDLS netlink command would be a TDLS peer. This assumption is incorrect because userspace can supply any associated station address. The CWE classification is NVD-CWE-noinfo, but the defect pattern aligns with improper input validation in a privileged kernel code path.
Attack Vector
Exploitation requires local access with privileges sufficient to issue nl80211 commands, typically CAP_NET_ADMIN. The attacker invokes the TDLS enable-link operation referencing the address of a regular associated station rather than a TDLS peer. The kernel then modifies channel context and HT protection state for that link before the operation aborts. No user interaction is required, and the attack can be repeated to disrupt wireless connectivity or leave the link in an inconsistent configuration state.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-43052
Indicators of Compromise
- Unexpected channel context changes or HT protection mode flips on associated wireless interfaces without corresponding configuration commands
- Kernel log entries from mac80211 indicating TDLS enable-link failures shortly after channel state modifications
- Wireless connectivity instability correlated with nl80211 activity from non-administrative users or processes
Detection Strategies
- Audit running kernel versions across the fleet and flag hosts on unpatched stable branches or 7.0-rc builds
- Monitor nl80211 netlink traffic for NL80211_TDLS_ENABLE_LINK operations issued by unexpected processes
- Correlate dmesg and journald entries from the mac80211, cfg80211, and wireless driver subsystems for repeated TDLS operation failures
Monitoring Recommendations
- Enable kernel auditing (auditd) for processes invoking CAP_NET_ADMIN capabilities on wireless-equipped hosts
- Track iw and wpa_supplicant invocations and validate them against expected configuration management activity
- Centralize kernel logs from laptops, IoT, and embedded Linux devices to identify abnormal wireless state transitions
How to Mitigate CVE-2026-43052
Immediate Actions Required
- Apply the upstream stable kernel patches referenced in the kernel.org commits as soon as distribution packages are available
- Inventory all Linux systems with wireless hardware, prioritizing laptops, mobile devices, and embedded systems running affected branches
- Restrict CAP_NET_ADMIN to trusted administrative users only, and avoid granting it to interactive or service accounts
Patch Information
The fix adds an early check on sta->sta.tdls in the ENABLE_LINK case of ieee80211_tdls_oper so that non-TDLS stations are rejected before any side effects occur. The patch is available in the following commits: 7d73872d949c, 8148c2fda4eb, be81f17151fc, and e77b2937aaa2. Rebuild affected kernels or install vendor-supplied updates from your Linux distribution.
Workarounds
- Disable TDLS support on wireless interfaces where it is not required by configuring wpa_supplicant with tdls_external_control=1 or removing TDLS capability from interface configuration
- Limit access to wireless configuration tools (iw, iwconfig, nmcli) through sudo policy and group membership controls
- Where possible, blacklist or unload wireless drivers on systems that do not need Wi-Fi connectivity to remove the attack surface entirely
# Verify running kernel version and check for the TDLS fix
uname -r
# Inspect mac80211 module for load status
lsmod | grep mac80211
# Disable TDLS link establishment via wpa_supplicant config
echo 'tdls_external_control=1' | sudo tee -a /etc/wpa_supplicant/wpa_supplicant.conf
# Restrict CAP_NET_ADMIN by reviewing capability assignments
sudo getcap -r / 2>/dev/null | grep cap_net_admin
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
