Cyber Resilience

CVE-2026-23246

High

Published: 18 March 2026

Published
18 March 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 20.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23246 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23246 is a stack out-of-bounds write vulnerability in the Linux kernel's mac80211 WiFi subsystem, specifically within the ieee80211_ml_reconfiguration function. The issue arises because the link_id value, extracted from the ML Reconfiguration element via control & 0x000f (yielding 0..15), is used to index the link_removal_timeout array without proper bounds checking. This array has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, making index 15 out-of-bounds and allowing an attacker to trigger a stack overflow.

An adjacent network attacker with no privileges or user interaction required (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 8.8) can exploit this by sending a crafted ML Reconfiguration element with a link_id of 15 or higher. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, potential code execution, or system crashes on affected WiFi-enabled Linux systems.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, which add bounds checking to skip subelements where link_id >= IEEE80211_MLD_MAX_NUM_LINKS, thereby preventing the out-of-bounds write. Security practitioners should update to kernels incorporating these fixes, such as those from the provided git.kernel.org stable commits.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15…

more

is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ml

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Out-of-bounds write in mac80211 WiFi stack enables adjacent-network RCE (kernel memory corruption) for remote service exploitation and privilege escalation to root.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2022-49720Same product: Linux Linux Kernel
CVE-2022-49478Same product: Linux Linux Kernel
CVE-2026-23447Same product: Linux Linux Kernel
CVE-2025-71143Same product: Linux Linux Kernel
CVE-2022-49186Same product: Linux Linux Kernel
CVE-2026-23354Same product: Linux Linux Kernel
CVE-2025-71100Same product: Linux Linux Kernel
CVE-2025-21692Same product: Linux Linux Kernel
CVE-2022-49548Same product: Linux Linux Kernel
CVE-2023-52987Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.5, 7.0 · 6.5.1 — 6.6.130 · 6.7 — 6.12.77 · 6.13 — 6.18.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation ensures application of kernel patches that add bounds checking to ieee80211_ml_reconfiguration, directly preventing the stack out-of-bounds write.

prevent

Information input validation requires checking link_id values from ML Reconfiguration elements to ensure they are within 0-14 before array indexing, addressing the root cause of the vulnerability.

prevent

Memory protection mechanisms such as stack canaries and ASLR mitigate exploitation of the stack overflow by detecting corruption or randomizing memory layouts.

References