CVE-2026-23367
Received Received - Intake
Uninitialized Memory Use in Linux Kernel Radiotap Parser

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: radiotap: reject radiotap with unknown bits The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipping vendor namespaces), and syzbot points out that we later compare against this uninitialized value. Fix this by moving the rejection of unknown radiotap fields down to after the in-namespace lookup, so it will really use iterator->_next_ns_data only for vendor namespaces, even in case undefined fields are present.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-05-27
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-25
NVD
CVE-2026-23367
EUVD
EUVD-2026-15350
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.34
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 2.6.34.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of radiotap headers used in wireless networking. Specifically, the radiotap parser does not properly handle unknown or undefined fields, such as field 18, which has an unknown alignment and size. Because of this, an internal iterator value (_next_ns_data) is not initialized correctly, leading to the use of uninitialized memory during processing.

The fix involves changing when the parser rejects unknown radiotap fields, ensuring that the iterator's _next_ns_data is only used for vendor namespaces and not for undefined fields, preventing the use of uninitialized values.


How can this vulnerability impact me? :

The vulnerability can lead to the Linux kernel processing uninitialized memory when parsing radiotap headers with unknown fields. This could potentially cause unpredictable behavior such as crashes or memory corruption in the kernel's wireless networking stack.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart