How is CVE-2026-46125 exploited?

Network reachability (info): The vulnerable service is reachable from an adjacent network (same Wi-Fi segment, LAN, or VPN); the attacker does not need a route over the public internet but must be able to reach the target on the local link. Authentication (not-required): No credentials or prior authentication are needed; an unauthenticated attacker on the adjacent network can trigger the vulnerability. Victim interaction (not-required): No user action or social engineering is required; the attacker can trigger the flaw by initiating or manipulating an MLO connection attempt. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental prerequisites.

What is the impact of CVE-2026-46125?

The attacker gains full read access to kernel memory, enabling extraction of sensitive data such as cryptographic keys, session tokens, and credentials held in kernel space. The attacker gains full write access to kernel memory, allowing arbitrary modification of kernel data structures and persisted state. The attacker can crash the affected system by corrupting kernel memory through the double-free or use-after-free path, causing an unrecoverable kernel panic. If debugfs is enabled on the target, the corrupted vif debugfs state is also reachable as an exploitation surface, widening the window for memory corruption.

Back to search

HIGHCVE-2026-46125Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46125: wifi: mac80211: remove station if connection prep fails

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes. This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free and double-free vulnerability exists in the Linux kernel's mac80211 Wi-Fi subsystem, specifically in the handling of Multi-Link Operation (MLO) connection preparation failures. An attacker on the same network segment (Wi-Fi LAN, adjacent network, or VPN) can trigger this flaw without any credentials. Successful exploitation gives the attacker full read, write, and crash capability over the affected host. Patched-image rebuilds at versions 6.6.140 and 6.12.88 (and the corresponding upstream commits) are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46125 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against kernel packages in customer container images, including custom-built images that carry a vulnerable Linux kernel version.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 HIGH and weighting it against each customer organization's compliance policy to determine severity priority; the resulting finding can be routed automatically to the appropriate team inbox within each customer environment.

Available

Patch

For customers running kernel images at a version below 6.6.140 or 6.12.88, a patched-image rebuild at the fix versions is available on HarborGuard once images are scanned against the updated advisory. For customers who opt into auto-remediation, HarborGuard will trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The vulnerable service is reachable from an adjacent network (same Wi-Fi segment, LAN, or VPN); the attacker does not need a route over the public internet but must be able to reach the target on the local link.
AuthenticationNot required
No credentials or prior authentication are needed; an unauthenticated attacker on the adjacent network can trigger the vulnerability.
Victim interactionNot required
No user action or social engineering is required; the attacker can trigger the flaw by initiating or manipulating an MLO connection attempt.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental prerequisites.

Blast Radius

The attacker gains full read access to kernel memory, enabling extraction of sensitive data such as cryptographic keys, session tokens, and credentials held in kernel space.
The attacker gains full write access to kernel memory, allowing arbitrary modification of kernel data structures and persisted state.
The attacker can crash the affected system by corrupting kernel memory through the double-free or use-after-free path, causing an unrecoverable kernel panic.
If debugfs is enabled on the target, the corrupted vif debugfs state is also reachable as an exploitation surface, widening the window for memory corruption.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46125 is matched against kernel packages in scanned images the moment the advisory is ingested. For environments running a kernel below 6.6.140 or 6.12.88, a patched-image rebuild at the fix versions is available. For customers with auto-remediation enabled, HarborGuard triggers a rebuilt image, runs a regression-test suite, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation active. Where compliance policy does not permit auto-remediation, the finding is surfaced with CVSS 8.8 HIGH scoring and routed to the designated team inbox for manual review. As a compensating control while patching is in progress, network-policy isolation restricting adjacent-network access to hosts running the vulnerable kernel can reduce exposure.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

01c2b72ea89882aeb948340498391e69c58d466f1283fc9e44ff5b5ac967439b4951b80bd4299f4e46.6.1406.12.886.18.307.0.77.1-rc39e28654f79f443bca9b29ff3ae7cf18abfba58a0afcbaed89cdc1a001b43270cbf5394bb4804270afe75fa1ac9a92990f7fc3d34b17808fd933071b2

Affected packages

Linux / Linux
< fe75fa1ac9a92990f7fc3d34b17808fd933071b2 (from 81151ce462e533551f3284bfdb8e0f461c9220e6) · < afcbaed89cdc1a001b43270cbf5394bb4804270a (from 81151ce462e533551f3284bfdb8e0f461c9220e6) · < 9e28654f79f443bca9b29ff3ae7cf18abfba58a0 (from 81151ce462e533551f3284bfdb8e0f461c9220e6) · < 1c2b72ea89882aeb948340498391e69c58d466f1 (from 81151ce462e533551f3284bfdb8e0f461c9220e6) · < 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 (from 81151ce462e533551f3284bfdb8e0f461c9220e6)
Linux / Linux
6.0
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available