CVE-2026-46166
A memory safety flaw exists in the Linux kernel's Wi-Fi driver subsystem (mac80211). When the kernel performs radar detection checks on wireless channels, it can inadvertently access memory that has already been freed, potentially causing a system crash or enabling privilege escalation. The issue stems from unsafe iteration over a list of wireless channel contexts that can be modified during the operation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-825
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-30
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.
11 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46166 is a use-after-free vulnerability (CWE-416) in the Linux kernel's mac80211 Wi-Fi subsystem. The vulnerability occurs in the radar detect work handler when ieee80211_dfs_cac_cancel() is invoked, which can deallocate and remove a channel context (chanctx) from the iterated list without proper protection. Subsequent iterations attempt to access the freed memory structure, triggering a slab-use-after-free condition. The fix implements safe list iteration to prevent dereferencing of freed objects during DFS (Dynamic Frequency Selection) operations.
Business impact
This vulnerability affects system stability and security for any Linux system running Wi-Fi functionality with DFS support enabled. A local attacker with network access could trigger the flaw to crash the kernel, causing denial of service. More critically, the memory corruption primitive could be leveraged for privilege escalation in certain exploitation scenarios. Organizations relying on Linux-based Wi-Fi infrastructure, including enterprise access points, network appliances, and edge devices, face operational risk and potential lateral movement vectors.
Affected systems
All Linux kernel versions are potentially affected. The vulnerability resides in the mac80211 subsystem, which is the kernel's software-based Wi-Fi implementation used by wireless drivers. Systems must be running a kernel with Wi-Fi support and DFS functionality enabled to be vulnerable. Embedded Linux systems, cloud infrastructure nodes with wireless capabilities, and standard Linux distributions all warrant assessment.
Exploitability
The vulnerability requires local or adjacent network access (AV:A per CVSS) to trigger. An attacker must interact with the DFS radar detection mechanism, which is typically initiated through specific wireless management frames or driver-initiated channel availability checks. While not remotely exploitable from the internet, the attack surface is relevant for environments where untrusted devices can connect to the same wireless network or for systems with local access. Exploitation does not require authentication or user interaction.
Remediation
Apply a Linux kernel patch that implements safe list iteration (e.g., list_for_each_entry_safe) in the radar detect work handler to prevent use-after-free. Verify the patch against your kernel version and distribution's security advisories. For vendor-patched systems (distributions, appliance makers), prioritize available updates. Until patches are applied, mitigation options are limited; consider disabling DFS on non-regulated networks if operationally feasible, though this is not a reliable long-term defense.
Patch guidance
Monitor your Linux distribution's security bulletins and the kernel.org stable release notes for patches addressing this CVE. Kernel patches typically flow through distribution channels (Ubuntu, Red Hat, Debian, etc.) before reaching end users. Verify patch applicability by checking your running kernel version (uname -r) against your vendor's advisory. If you maintain your own kernel builds, backport the safe list iteration fix to your kernel branch and recompile. Test patched kernels in a staging environment before production deployment to ensure Wi-Fi functionality and DFS behavior remain stable.
Detection guidance
Monitor system logs for slab-use-after-free errors, kernel warnings, and Wi-Fi driver crashes coinciding with DFS operations. Use kernel debugging tools (e.g., KASAN if enabled, slab debugging) to detect memory corruption at runtime. Kernel core dumps or panic messages referencing mac80211, ieee80211_dfs_cac_cancel, or chanctx structures indicate potential exploitation. Network intrusion detection is not practical; focus on endpoint kernel health monitoring and Wi-Fi subsystem stability metrics. Correlate crashes with DFS trigger events (regulatory domain changes, channel switches, or external radar detection signals).
Why prioritize this
The CVSS 8.8 (HIGH) score reflects the combination of high integrity and availability impact with adjacent-network accessibility. While not publicly listed in the Known Exploited Vulnerabilities (KEV) catalog, the memory corruption primitive and local/adjacent attack vector make this a priority for kernel-patching schedules. Organizations with Wi-Fi infrastructure or embedded Linux devices should treat this as a standard high-priority kernel update, aligned with their patch management SLAs for HIGH-severity vulnerabilities.
Risk score, explained
CVSS 3.1 score of 8.8 derives from: (1) Adjacent Network access vector (AV:A), reflecting the need for network proximity or local access; (2) Low complexity (AC:L), as no special conditions are required to trigger the flaw; (3) No privileges required (PR:N) and no user interaction (UI:N); (4) Unchanged scope (S:U); (5) High impact across confidentiality, integrity, and availability (C:H/I:H/A:H), due to potential privilege escalation and denial of service. The score appropriately penalizes the non-remote attack vector while accounting for serious exploitation consequences.
Frequently asked questions
Can this vulnerability be exploited remotely over the Internet?
No. The attack vector is adjacent network (AV:A), meaning an attacker must have network proximity—typically the same wireless network or a directly connected network segment. Remote exploitation from the Internet is not feasible. However, in enterprise or public Wi-Fi environments, this threat model is relevant.
Do I need to worry about this if I don't use Wi-Fi on my Linux system?
If your system has no Wi-Fi adapter or Wi-Fi support is not compiled into the kernel, this vulnerability does not pose a direct threat. However, server administrators should verify whether mac80211 is present (check /lib/modules/$(uname -r)/kernel/net/mac80211/). Embedded systems and edge devices commonly include Wi-Fi, so assume vulnerability unless explicitly confirmed absent.
What is the relationship between DFS and this vulnerability?
DFS (Dynamic Frequency Selection) is a regulatory mechanism that detects radar signals on wireless channels. When the kernel's DFS handler cancels channel availability checks, it can free channel context structures while the radar detection work loop is still iterating over them. The fix ensures the iteration is resilient to list modifications during execution.
If I'm on a patched kernel, am I fully protected?
Yes, a patched kernel that implements safe list iteration resolves the underlying use-after-free. Ensure you apply the specific patch from your distribution's security advisory and verify the patch version. Testing in a non-production environment is recommended before production rollout.
This analysis is based on the published CVE description and CVSS assessment. Specific patch version numbers, distribution timelines, and detailed exploitation techniques are not provided here; consult your Linux vendor's security advisories for definitive patching guidance. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. Organizations should validate applicability to their kernel version and Wi-Fi configuration before determining remediation urgency. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46125HIGH
CVE-2026-46125: Linux Kernel WiFi Driver Memory Safety Vulnerability
- CVE-2026-44422HIGH
CVE-2026-44422: FreeRDP RDPEAR Double-Free Vulnerability (HIGH Severity)
- CVE-2026-10001HIGH
CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGH
CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGH
CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10007HIGH
CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10012HIGH
CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGH
CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment