{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23367", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:49.068Z", "dateUpdated": "2026-03-25T10:27:49.068Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:49.068Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: radiotap: reject radiotap with unknown bits\n\nThe radiotap parser is currently only used with the radiotap\nnamespace (not with vendor namespaces), but if the undefined\nfield 18 is used, the alignment/size is unknown as well. In\nthis case, iterator->_next_ns_data isn't initialized (it's\nonly set for skipping vendor namespaces), and syzbot points\nout that we later compare against this uninitialized value.\n\nFix this by moving the rejection of unknown radiotap fields\ndown to after the in-namespace lookup, so it will really use\niterator->_next_ns_data only for vendor namespaces, even in\ncase undefined fields are present."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/wireless/radiotap.c"], "versions": [{"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "703fa979badbba83d31cd011606d060bfb8b0d1d", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "129c8bb320a7cef692c78056ef8e89a2a12ba448", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "2a60c588d5d39ad187628f58395c776a97fd4323", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "2f8ceeba670610d66f77def32011f48de951d781", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "e664971759a0e5570b50c6592e58a7f97d55e992", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "c854758abe0b8d86f9c43dc060ff56a0ee5b31e0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/wireless/radiotap.c"], "versions": [{"version": "2.6.34", "status": "affected"}, {"version": "0", "lessThan": "2.6.34", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/703fa979badbba83d31cd011606d060bfb8b0d1d"}, {"url": "https://git.kernel.org/stable/c/129c8bb320a7cef692c78056ef8e89a2a12ba448"}, {"url": "https://git.kernel.org/stable/c/2a60c588d5d39ad187628f58395c776a97fd4323"}, {"url": "https://git.kernel.org/stable/c/2f8ceeba670610d66f77def32011f48de951d781"}, {"url": "https://git.kernel.org/stable/c/e664971759a0e5570b50c6592e58a7f97d55e992"}, {"url": "https://git.kernel.org/stable/c/c854758abe0b8d86f9c43dc060ff56a0ee5b31e0"}], "title": "wifi: radiotap: reject radiotap with unknown bits", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: radiotap: reject radiotap with unknown bits\n\nThe radiotap parser is currently only used with the radiotap\nnamespace (not with vendor namespaces), but if the undefined\nfield 18 is used, the alignment/size is unknown as well. In\nthis case, iterator->_next_ns_data isn't initialized (it's\nonly set for skipping vendor namespaces), and syzbot points\nout that we later compare against this uninitialized value.\n\nFix this by moving the rejection of unknown radiotap fields\ndown to after the in-namespace lookup, so it will really use\niterator->_next_ns_data only for vendor namespaces, even in\ncase undefined fields are present."}], "id": "CVE-2026-23367", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:36.000", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/129c8bb320a7cef692c78056ef8e89a2a12ba448"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2a60c588d5d39ad187628f58395c776a97fd4323"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2f8ceeba670610d66f77def32011f48de951d781"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/703fa979badbba83d31cd011606d060bfb8b0d1d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c854758abe0b8d86f9c43dc060ff56a0ee5b31e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e664971759a0e5570b50c6592e58a7f97d55e992"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["A flaw was found in the Linux kernel's wifi: radiotap parser. When processing specially crafted radiotap frames containing unknown bits, an uninitialized value is used in a comparison. This vulnerability could allow a remote attacker to cause a denial of service (DoS) by triggering a system crash or potentially lead to information disclosure."], "name": "CVE-2026-23367", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23367\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23367\nhttps://lore.kernel.org/linux-cve-announce/2026032540-CVE-2026-23367-6e44@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:57:41.060020+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the commit correcting the radiotap parsing logic.", "If immediate kernel upgrade is not possible, disable Wi\u2011Fi reception or block radiotap frames to prevent the flaw from being exercised.", "Monitor system logs for kernel panics or abnormal behavior that may indicate exploitation."], "summary": {"action": "Assess Impact", "impact": "Unpredictable behavior potentially leading to information disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Linux kernel builds that include the original radiotap parsing logic before the fix referenced by commits c854758 and e664971. Exact versions are not listed, so any Linux kernel prior to the commit that introduced the change is potentially impacted.", "description_and_impact": "The issue occurs in the Linux kernel\u2019s Wi\u2011Fi radiotap parser when it encounters an undefined field (field 18). The parser references an uninitialized internal pointer during the namespace lookup. This can cause the kernel to read unpredictable memory or crash, which may expose sensitive data or lead to denial of service. The weakness is a use of an uninitialized variable (CWE\u2011758).", "risk_and_exploitability": "No CVSS score or EPSS information is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves an attacker capable of injecting crafted Wi\u2011Fi frames containing a radiotap header with an unknown field. Because the flaw is tied to network traffic, systems that accept untrusted wireless packets may be at risk. Without evidence of a public exploit, the risk is considered moderate, but the lack of patch updates among some deployments could increase exposure."}}}}, "created": "2026-03-25T21:31:48.784970+00:00", "updated": "2026-03-25T21:31:48.785040+00:00", "vendors": [], "weaknesses": ["CWE-758"]}