GHSA-MG4X-3G76-43W7

Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-03-25 12:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: radiotap: reject radiotap with unknown bits

The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipping vendor namespaces), and syzbot points out that we later compare against this uninitialized value.

Fix this by moving the rejection of unknown radiotap fields down to after the in-namespace lookup, so it will really use iterator->_next_ns_data only for vendor namespaces, even in case undefined fields are present.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-23367"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T11:16:36Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: radiotap: reject radiotap with unknown bits\n\nThe radiotap parser is currently only used with the radiotap\nnamespace (not with vendor namespaces), but if the undefined\nfield 18 is used, the alignment/size is unknown as well. In\nthis case, iterator-\u003e_next_ns_data isn\u0027t initialized (it\u0027s\nonly set for skipping vendor namespaces), and syzbot points\nout that we later compare against this uninitialized value.\n\nFix this by moving the rejection of unknown radiotap fields\ndown to after the in-namespace lookup, so it will really use\niterator-\u003e_next_ns_data only for vendor namespaces, even in\ncase undefined fields are present.",
  "id": "GHSA-mg4x-3g76-43w7",
  "modified": "2026-03-25T12:30:24Z",
  "published": "2026-03-25T12:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23367"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/129c8bb320a7cef692c78056ef8e89a2a12ba448"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a60c588d5d39ad187628f58395c776a97fd4323"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f8ceeba670610d66f77def32011f48de951d781"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/703fa979badbba83d31cd011606d060bfb8b0d1d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c854758abe0b8d86f9c43dc060ff56a0ee5b31e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e664971759a0e5570b50c6592e58a7f97d55e992"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.