What is GHSA-96f2-8m7p-q7j4?

GHSA-96f2-8m7p-q7j4 is a security advisory published by GitHub Security Advisories with Medium severity. In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in...

Which CVE IDs does GHSA-96f2-8m7p-q7j4 cover?

GHSA-96f2-8m7p-q7j4 covers the following CVE IDs: CVE-2026-31394. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-96f2-8m7p-q7j4?

GHSA-96f2-8m7p-q7j4 has a CVSS v3 base score of 5.5, published by GitHub Security Advisories.

GHSA-96f2-8m7p-q7j4MediumCVSS 5.5

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in...

Vendor

GitHub Security Advisories

Published

April 3, 2026

Last Modified

May 20, 2026

🔗 CVE IDs covered (1)

CVE-2026-31394 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter]

🔗 CVE IDs covered (1)

📋 Description

🔗 References (6)