CVE-2026-23246
Published: 18 March 2026
Summary
CVE-2026-23246 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23246 is a stack out-of-bounds write vulnerability in the Linux kernel's mac80211 WiFi subsystem, specifically within the ieee80211_ml_reconfiguration function. The issue arises because the link_id value, extracted from the ML Reconfiguration element via control & 0x000f (yielding 0..15), is used to index the link_removal_timeout array without proper bounds checking. This array has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, making index 15 out-of-bounds and allowing an attacker to trigger a stack overflow.
An adjacent network attacker with no privileges or user interaction required (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 8.8) can exploit this by sending a crafted ML Reconfiguration element with a link_id of 15 or higher. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, potential code execution, or system crashes on affected WiFi-enabled Linux systems.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, which add bounds checking to skip subelements where link_id >= IEEE80211_MLD_MAX_NUM_LINKS, thereby preventing the out-of-bounds write. Security practitioners should update to kernels incorporating these fixes, such as those from the provided git.kernel.org stable commits.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12809
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15…
more
is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ml
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in mac80211 WiFi stack enables adjacent-network RCE (kernel memory corruption) for remote service exploitation and privilege escalation to root.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation ensures application of kernel patches that add bounds checking to ieee80211_ml_reconfiguration, directly preventing the stack out-of-bounds write.
Information input validation requires checking link_id values from ML Reconfiguration elements to ensure they are within 0-14 before array indexing, addressing the root cause of the vulnerability.
Memory protection mechanisms such as stack canaries and ASLR mitigate exploitation of the stack overflow by detecting corruption or randomizing memory layouts.