CVE-2026-31394

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations<br /> <br /> ieee80211_chan_bw_change() iterates all stations and accesses<br /> link-&gt;reserved.oper via sta-&gt;sdata-&gt;link[link_id]. For stations on<br /> AP_VLAN interfaces (e.g. 4addr WDS clients), sta-&gt;sdata points to<br /> the VLAN sdata, whose link never participates in chanctx reservations.<br /> This leaves link-&gt;reserved.oper zero-initialized with chan == NULL,<br /> causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()<br /> when accessing chandef-&gt;chan-&gt;band during CSA.<br /> <br /> Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()<br /> before accessing link data.<br /> <br /> [also change sta-&gt;sdata in ARRAY_SIZE even if it doesn&amp;#39;t matter]