CVE-2025-71127

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mac80211: Discard Beacon frames to non-broadcast address<br /> <br /> Beacon frames are required to be sent to the broadcast address, see IEEE<br /> Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame<br /> shall be set to the broadcast address"). A unicast Beacon frame might be<br /> used as a targeted attack to get one of the associated STAs to do<br /> something (e.g., using CSA to move it to another channel). As such, it<br /> is better have strict filtering for this on the received side and<br /> discard all Beacon frames that are sent to an unexpected address.<br /> <br /> This is even more important for cases where beacon protection is used.<br /> The current implementation in mac80211 is correctly discarding unicast<br /> Beacon frames if the Protected Frame bit in the Frame Control field is<br /> set to 0. However, if that bit is set to 1, the logic used for checking<br /> for configured BIGTK(s) does not actually work. If the driver does not<br /> have logic for dropping unicast Beacon frames with Protected Frame bit<br /> 1, these frames would be accepted in mac80211 processing as valid Beacon<br /> frames even though they are not protected. This would allow beacon<br /> protection to be bypassed. While the logic for checking beacon<br /> protection could be extended to cover this corner case, a more generic<br /> check for discard all Beacon frames based on A1=unicast address covers<br /> this without needing additional changes.<br /> <br /> Address all these issues by dropping received Beacon frames if they are<br /> sent to a non-broadcast address.