{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23367", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:49.068Z", "dateUpdated": "2026-03-25T10:27:49.068Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:49.068Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: radiotap: reject radiotap with unknown bits\n\nThe radiotap parser is currently only used with the radiotap\nnamespace (not with vendor namespaces), but if the undefined\nfield 18 is used, the alignment/size is unknown as well. In\nthis case, iterator->_next_ns_data isn't initialized (it's\nonly set for skipping vendor namespaces), and syzbot points\nout that we later compare against this uninitialized value.\n\nFix this by moving the rejection of unknown radiotap fields\ndown to after the in-namespace lookup, so it will really use\niterator->_next_ns_data only for vendor namespaces, even in\ncase undefined fields are present."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/wireless/radiotap.c"], "versions": [{"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "703fa979badbba83d31cd011606d060bfb8b0d1d", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "129c8bb320a7cef692c78056ef8e89a2a12ba448", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "2a60c588d5d39ad187628f58395c776a97fd4323", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "2f8ceeba670610d66f77def32011f48de951d781", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "e664971759a0e5570b50c6592e58a7f97d55e992", "status": "affected", "versionType": "git"}, {"version": "33e5a2f776e331dc8a4379b6efb660d38f182d96", "lessThan": "c854758abe0b8d86f9c43dc060ff56a0ee5b31e0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/wireless/radiotap.c"], "versions": [{"version": "2.6.34", "status": "affected"}, {"version": "0", "lessThan": "2.6.34", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.34", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/703fa979badbba83d31cd011606d060bfb8b0d1d"}, {"url": "https://git.kernel.org/stable/c/129c8bb320a7cef692c78056ef8e89a2a12ba448"}, {"url": "https://git.kernel.org/stable/c/2a60c588d5d39ad187628f58395c776a97fd4323"}, {"url": "https://git.kernel.org/stable/c/2f8ceeba670610d66f77def32011f48de951d781"}, {"url": "https://git.kernel.org/stable/c/e664971759a0e5570b50c6592e58a7f97d55e992"}, {"url": "https://git.kernel.org/stable/c/c854758abe0b8d86f9c43dc060ff56a0ee5b31e0"}], "title": "wifi: radiotap: reject radiotap with unknown bits", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: radiotap: reject radiotap with unknown bits\n\nThe radiotap parser is currently only used with the radiotap\nnamespace (not with vendor namespaces), but if the undefined\nfield 18 is used, the alignment/size is unknown as well. In\nthis case, iterator->_next_ns_data isn't initialized (it's\nonly set for skipping vendor namespaces), and syzbot points\nout that we later compare against this uninitialized value.\n\nFix this by moving the rejection of unknown radiotap fields\ndown to after the in-namespace lookup, so it will really use\niterator->_next_ns_data only for vendor namespaces, even in\ncase undefined fields are present."}], "id": "CVE-2026-23367", "lastModified": "2026-03-25T11:16:36.000", "metrics": {}, "published": "2026-03-25T11:16:36.000", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/129c8bb320a7cef692c78056ef8e89a2a12ba448"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2a60c588d5d39ad187628f58395c776a97fd4323"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2f8ceeba670610d66f77def32011f48de951d781"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/703fa979badbba83d31cd011606d060bfb8b0d1d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c854758abe0b8d86f9c43dc060ff56a0ee5b31e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e664971759a0e5570b50c6592e58a7f97d55e992"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}