CVE-2026-46166: Linux Kernel Use-After-Free Vulnerability

CVE-2026-46166 Overview

CVE-2026-46166 is a use-after-free vulnerability in the Linux kernel's mac80211 wireless subsystem. The flaw resides in the radar detect work handler, where a call to ieee80211_dfs_cac_cancel can free and remove the currently iterated chanctx from its list. Because the original code did not use safe list iteration, the kernel could continue traversing freed memory, producing a slab-use-after-free condition flagged by KASAN.

The vulnerability affects the Dynamic Frequency Selection (DFS) Channel Availability Check (CAC) logic used by Wi-Fi devices operating on radar-sensitive 5 GHz channels. Exploitation requires triggering radar detection events while the kernel manages multiple channel contexts.

Critical Impact

A slab-use-after-free in mac80211 radar detect work can lead to kernel memory corruption, denial of service, or potential local privilege escalation on systems using Wi-Fi DFS channels.

Affected Products

• Linux kernel (mainline) versions prior to the commits listed in the kernel.org stable tree
• Linux distributions shipping affected stable kernel branches with mac80211 support
• Wi-Fi-enabled systems using DFS channels on the 5 GHz band

Discovery Timeline

• 2026-05-28 - CVE-2026-46166 published to NVD
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-46166

Vulnerability Analysis

The vulnerability exists in the radar detect work routine inside the Linux kernel's mac80211 subsystem. The function iterates through a list of channel contexts (chanctx) and invokes ieee80211_dfs_cac_cancel on entries that require the Channel Availability Check to be canceled. This cancel call has a side effect: it can free the chanctx structure and unlink it from the list being iterated.

Because the original iteration used an unsafe variant of the list traversal macro, the loop dereferenced the freed entry to obtain the next pointer. This produced a classic slab-use-after-free [CWE-416] pattern where freed kernel slab memory is reused mid-iteration. The fix replaces the iterator with a safe list traversal variant that caches the next pointer before invoking the callback that may free the current node.

Root Cause

The root cause is unsafe list iteration over a mutable list. The radar detect work walked the channel context list while a function called inside the loop body could remove and free list elements. Without using a safe iterator that stores the next element before each loop body executes, the kernel reached into freed slab memory after ieee80211_dfs_cac_cancel returned.

Attack Vector

Triggering the condition requires the affected system to be operating Wi-Fi on a DFS channel and to process radar detection events that cause the CAC to be canceled while multiple channel contexts are active. The attack surface is local to the Wi-Fi data path, but radar detection can be influenced by adjacent radio activity. Successful exploitation results in kernel memory corruption that may manifest as a crash, hang, or controlled use-after-free suitable for further escalation.

No public proof-of-concept exploit is available for CVE-2026-46166 at the time of publication. Detailed code-level context is available in the kernel commits referenced in the Linux kernel stable tree.

Detection Methods for CVE-2026-46166

Indicators of Compromise

• KASAN reports in kernel logs identifying slab-use-after-free in functions related to mac80211 radar detect work or ieee80211_dfs_cac_cancel.
• Unexpected kernel oops, panics, or warnings referencing ieee80211_chanctx structures on systems running Wi-Fi on DFS channels.
• Wireless interface resets or repeated CAC failures correlated with kernel stack traces in dmesg.

Detection Strategies

• Audit installed kernel versions across the Linux fleet and compare against the patched commits in the kernel.org stable tree.
• Enable KASAN on test or canary kernels to surface use-after-free conditions in mac80211 before they reach production.
• Aggregate kernel crash telemetry centrally and alert on stack traces containing mac80211 and chanctx symbols.

Monitoring Recommendations

• Ingest dmesg and journald kernel logs into a central log platform and trigger alerts on KASAN or oops events referencing the wireless stack.
• Track package and kernel inventory using configuration management to confirm patched versions are deployed.
• Monitor wireless interface stability metrics on access points and Linux endpoints that operate on 5 GHz DFS channels.

How to Mitigate CVE-2026-46166

Immediate Actions Required

• Update the Linux kernel to a version that includes the upstream fix from the kernel.org stable tree commits referenced for this CVE.
• Identify systems running Wi-Fi on 5 GHz DFS channels and prioritize their patching.
• Reboot affected systems after applying the kernel update so the patched mac80211 module is loaded.

Patch Information

The fix replaces unsafe list iteration with a safe variant in the radar detect work handler so that freeing the current chanctx inside ieee80211_dfs_cac_cancel does not corrupt the loop state. Patched commits are published in the Linux kernel stable tree: 120149fb3ebc, 7577a4b8a10f, 887ece6c23b4, and ac8eb3e18f41. Apply the vendor kernel update from your Linux distribution that incorporates these commits.

Workarounds

• Where patching cannot be performed immediately, restrict Wi-Fi operation to non-DFS channels to avoid triggering the radar detect work path.
• Disable 5 GHz radios on affected endpoints or access points until a patched kernel is deployed.
• Limit physical proximity and local user access on systems where wireless cannot be reconfigured, reducing opportunities to influence the vulnerable code path.