HarborGuard / CVE
Back to search
HIGHCVE-2026-46166Published Modified CNA Linux

CVE-2026-46166: wifi: mac80211: use safe list iteration in radar detect work

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A use-after-free vulnerability exists in the Linux kernel's mac80211 Wi-Fi subsystem, specifically in the radar detection work path. An attacker on the same network segment can reach the affected service without authentication and trigger the flaw by sending crafted wireless frames that cause a channel-context structure to be freed while still being iterated. Successful exploitation gives the attacker full read, write, and crash capabilities against the affected kernel. Patched-image rebuilds at versions 6.12.88, 6.18.30, and 7.0.7 are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment; the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against customer images, including custom-built images that package an affected kernel version. Any image in a connected registry or CI pipeline carrying a vulnerable kernel is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 HIGH and weights it against each environment's compliance policy to surface it to the appropriate team inbox. Per-environment policy rules can escalate or suppress routing based on workload exposure and regulatory context.

Available
Patch

A patched-image rebuild at kernel versions 6.12.88, 6.18.30, or 7.0.7 is available on HarborGuard for images confirmed to carry an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityDetail

    The vulnerability is reachable from an adjacent network such as a local LAN, Wi-Fi segment, or VPN; remote over-the-internet exploitation without LAN-level access is not possible.

  • AuthenticationNot required

    No account credentials or session tokens are needed; an unauthenticated attacker on the adjacent network can trigger the flaw.

  • Victim interactionNot required

    No user action is required; the attacker can initiate the exploit entirely without any interaction from a logged-in user.

  • Attack complexityDetail

    Exploit reliability is high and no special race conditions or environmental prerequisites are required; a straightforward crafted wireless frame sequence is sufficient.

Blast Radius

  • Reads kernel memory, which may expose session tokens, cryptographic material, or other in-memory secrets from any process on the host.
  • Writes to kernel memory structures, allowing an attacker to modify persisted data, escalate privileges, or inject arbitrary code into the running kernel.
  • Crashes the affected kernel, taking down all workloads on the host and causing a full service outage.
  • Compromises the integrity of the host OS, potentially undermining container isolation boundaries for co-located workloads.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image carrying a Linux kernel below the fixed versions (6.12.88, 6.18.30, or 7.0.7), including custom kernel images built internally. Triage is routed automatically based on CVSS 8.8 HIGH scoring and each customer org's compliance policy weighting. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to a fixed kernel version, a regression-test run, and a pull request opened against affected workloads; median time to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where a kernel upgrade cannot be applied immediately, compensating controls such as network-policy isolation restricting adjacent Wi-Fi segment access, egress filtering on affected nodes, and disabling DFS radar detection features via kernel configuration flags can reduce exposure while the patch is staged.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

0120149fb3ebcf674832ca3cafd32bedcdb686dde6.12.886.18.307.0.77.1-rc37577a4b8a10fab45a6ee2045ea038a5adadbb585887ece6c23b49d02a6678e7a8d5ad213d75883ceac8eb3e18f41e2cc8492cc1d358bcb786c850270
Affected packages
  • Linux / Linux
    < 887ece6c23b49d02a6678e7a8d5ad213d75883ce (from bca8bc0399ac2efd56e6adbed0307e10125a556c) · < 7577a4b8a10fab45a6ee2045ea038a5adadbb585 (from bca8bc0399ac2efd56e6adbed0307e10125a556c) · < 120149fb3ebcf674832ca3cafd32bedcdb686dde (from bca8bc0399ac2efd56e6adbed0307e10125a556c) · < ac8eb3e18f41e2cc8492cc1d358bcb786c850270 (from bca8bc0399ac2efd56e6adbed0307e10125a556c)
  • Linux / Linux
    6.12
    Fixed in 0, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References