HIGH 8.8

CVE-2026-46125

CVE-2026-46125 is a memory safety bug in Linux kernel WiFi driver code that can cause system crashes or privilege escalation. When the kernel attempts to establish a multi-link WiFi connection and that setup fails, the code incorrectly retains station references that should have been cleaned up. This leaves dangling pointers in memory that can be exploited or cause the system to crash when the kernel debugfs interface tries to access them later. The vulnerability requires local network access and affects systems with WiFi enabled.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416, CWE-825
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-30

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes. This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.

19 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a use-after-free and double-free vulnerability in the mac80211 WiFi subsystem (drivers/net/wireless/mac80211/) triggered during MLO (Multi-Link Operation) connection failure handling. When connection preparation fails for MLD (Multi-Link Device) operations, the kernel resets the virtual interface from MLD to non-MLD state and recreates debugfs entries. However, station objects associated with the removed MLD link are not properly deleted, leaving dangling references. If debugfs is enabled, subsequent access to these stale pointers causes a crash. The fix ensures that existing stations are explicitly removed when the vif transitions away from MLD mode following connection setup failure.

Business impact

Affected systems can experience denial of service through kernel panic or system lockup when WiFi connection setup fails under specific multi-link scenarios. In environments with debugfs enabled (common in development/testing systems), this becomes trivial to trigger. On production systems, exploiting this for information disclosure or privilege escalation would require deep knowledge of kernel internals and debugfs access, making it primarily a stability risk. The vulnerability impacts laptop/desktop systems and IoT devices relying on multi-link WiFi functionality.

Affected systems

Linux kernel systems with WiFi drivers using the mac80211 subsystem. Risk is elevated for systems where: (1) debugfs is compiled in and enabled, (2) multi-link WiFi (802.11be/Wi-Fi 7 or MLO-capable devices) hardware is present, (3) connection failures occur during MLD setup. This includes modern Linux distributions on laptops, embedded Linux systems, and potentially some network appliances.

Exploitability

Exploitability is **locally constrained** but non-trivial. An attacker must have network access to the affected system's WiFi and be able to trigger connection preparation failures—typically requiring the ability to control WiFi access point behavior or inject malformed connection frames. Triggering a crash via debugfs requires local file system access. The CVSS score of 8.8 reflects high impact (confidentiality, integrity, and availability) but the requirement for adjacent network access and lack of remote code execution capability means real-world exploitation is significantly more difficult than the score might suggest.

Remediation

Apply kernel patches that explicitly remove station references during MLD vif teardown on connection preparation failure. Vendors have released fixes in stable and development kernel branches. For systems not yet patched, disable debugfs at compile time if not operationally required, or restrict access to /sys/kernel/debug/ via mount options (debugfs_restrict_mount). For critical systems, disabling multi-link WiFi support at the driver or firmware level temporarily mitigates the issue pending patches.

Patch guidance

Check your kernel version against your distribution's security advisory (verify against the vendor advisory for exact patched versions—this is distribution-specific). Most major Linux distributions have released kernel updates; Ubuntu, Fedora, RHEL, and Debian/Stable all have patches available. Verify the patch commit hash in your kernel sources includes the mac80211 station removal fix. If using a custom kernel build, apply the upstream fix from the Linux kernel stable tree and recompile. Test in a non-production environment first, particularly if relying on WiFi connectivity.

Detection guidance

Monitor for kernel panic logs mentioning 'use-after-free' or 'double free' in debugfs (dmesg, journal). Systems with CONFIG_DEBUG_KASAN enabled will report detailed memory safety violations. Watch for unexpected WiFi disconnections paired with system instability during multi-link connection attempts. Enable kernel address sanitizer (KASAN) in test environments to surface the issue earlier. Review kernel logs for failed MLO connection setups on systems where this pattern precedes crashes.

Why prioritize this

Prioritize patching for development/test systems with debugfs enabled and multi-link WiFi hardware, and for production systems running kernel versions known to be vulnerable. While remote exploitation is not practical, the potential for denial of service combined with the wide deployment of Linux makes this a moderate-to-high priority for systematic patching. Defer lower-risk systems (single-link WiFi only, no debugfs) to regular maintenance windows.

Risk score, explained

CVSS 8.8 (HIGH) reflects: (1) high impact across confidentiality, integrity, and availability due to memory corruption potential; (2) adjacent network access requirement (AV:A) significantly reduces risk versus local or network; (3) no user interaction or special privileges required once network access is gained. The score appropriately penalizes the memory safety issue but the practical exploitability ceiling is meaningfully lower than the numeric score suggests due to environmental constraints (debugfs, MLO-capable hardware, connection failure timing).

Frequently asked questions

Do I need WiFi 7 hardware for this to affect me?

Multi-link operation (MLO) is most common in WiFi 7 devices, but the mac80211 code path is generic enough that any driver using MLO code can be affected. Check your hardware's datasheet and driver documentation. Devices without MLO capability are not vulnerable.

Why is this marked as HIGH severity if it needs debugfs?

Debugfs is compiled into most desktop and server distributions by default, even if not always mounted. The memory corruption itself is the critical issue; debugfs merely provides an easy trigger. On systems where debugfs is disabled, the vulnerability is harder (but not impossible) to exploit.

What's the difference between the connection prep failure and normal WiFi disconnects?

Normal disconnects clean up properly. This bug occurs specifically when the kernel fails during the multi-link connection *setup* phase and then tears down the virtual interface without properly releasing associated station objects. It's an edge-case failure path.

Should I disable WiFi until I patch?

Disabling WiFi entirely is unnecessary. The vulnerability requires a specific sequence of events (MLO connection setup failure). If your WiFi connections are stable, the practical risk is low. However, patching promptly is still the right answer rather than disabling functionality.

This analysis is for informational purposes and based on available vulnerability data as of the publication date. Exploit details are intentionally withheld. Organizations should verify patch availability and compatibility with their specific kernel versions and distributions before deployment. SEC.co does not provide warranty regarding the accuracy or completeness of patch guidance; consult your vendor's security advisory for official patched versions. Testing in non-production environments is strongly recommended before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-46166HIGH

    CVE-2026-46166: Linux Kernel mac80211 Use-After-Free in DFS Radar Detection

  • CVE-2026-44422HIGH

    CVE-2026-44422: FreeRDP RDPEAR Double-Free Vulnerability (HIGH Severity)

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)

  • CVE-2026-10012HIGH

    CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)

  • CVE-2026-10013HIGH

    CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment