The National Vulnerability Database published CVE-2026-46125 on May 28, 2026, exposing a dangerous use-after-free vulnerability in the Linux kernel's mac80211 wireless stack. The flaw arises from improper handling of failed Multi-Link Operation (MLO) connection attempts in Wi-Fi 7, leaving behind a stale station structure that attackers can exploit to crash systems or potentially execute arbitrary code. Security researchers have confirmed the bug can be triggered locally via the debugfs interface, making it a serious threat for multi-user environments, development machines, and any Linux device with Wi-Fi 7 hardware or driver support.

mac80211 forms the backbone of Linux's Wi-Fi subsystem. It provides a software MAC layer for wireless drivers, handling frame parsing, authentication, association, and station management. With the arrival of Wi-Fi 7 (802.11be), mac80211 was extended to support Multi-Link Operation—a feature that allows devices to connect to an access point using multiple frequency bands simultaneously for higher throughput and lower latency. MLO setup involves creating multiple station entries and linking them to a single MLD (Multi-Link Device). If any part of this multi-step process fails, the kernel must unwind cleanly, releasing allocated resources without leaving dangling references. CVE-2026-46125 shows that this unwinding logic is flawed.

When a Wi-Fi 7 MLO connection attempt fails—perhaps due to a rejected authentication on one link or a timeout—the mac80211 cleanup path can miss removing a station object that was partially initialized. The stale station remains in the driver's internal tables, still pointed to by various framework structures. Later, when any operation traverses these tables (such as reading debugfs statistics, changing virtual interface modes, or reconnecting), the kernel dereferences the freed memory, causing a use-after-free condition. Use-after-free vulnerabilities are especially dangerous because they can be leveraged to achieve arbitrary code execution by manipulating the heap state.

The involvement of debugfs is particularly notable. Debugfs is a virtual filesystem used by kernel developers to expose debugging information and tuning knobs. Often mounted at /sys/kernel/debug, it is accessible only to the root user by default. However, many Linux distributions mount debugfs automatically, and local unprivileged users can sometimes read certain files if permissions are relaxed. Even if limited to root, the bug poses a risk in shared environments where authenticated users have sudo rights or where application sandboxes can escape to root through other means. An attacker with the ability to read from or write to debugfs files related to mac80211 (e.g., /sys/kernel/debug/ieee80211/phy*/stations) could trigger the use-after-free. A proof-of-concept may simply involve reading the stations file after forcing a failed MLO association.

Once the use-after-free occurs, the system's behavior is unpredictable. At minimum, a kernel panic will bring down the machine, causing a denial of service. With careful heap grooming, an attacker could overwrite a freed object with controlled data and hijack the execution flow of the kernel, achieving privilege escalation to ring 0. Given the complexity of heap exploitation on modern Linux kernels, developing a reliable exploit is non-trivial but entirely feasible for determined adversaries. Security researchers have not yet released a public exploit, but the details published in the NVD entry give enough information for skilled attackers to begin crafting one.

The fix, already committed upstream, corrects the cleanup logic in ieee80211_setup_assoc_link and associated functions. The patch ensures that all station references are properly removed from the driver's data structures when MLO setup is aborted. Distribution maintainers are now racing to backport the patch to their stable kernels. Users should monitor their Linux distribution's security announcements for updated packages. Given the low attack complexity and the growing deployment of Wi-Fi 7 access points, this vulnerability has been rated with a high severity score, though the exact CVSS numbers are still under analysis.

Windows users might be tempted to ignore a Linux kernel CVE, but the reality is more interconnected. Many Windows environments run Linux workloads through Windows Subsystem for Linux (WSL), virtual machines, or dual-boot configurations. WSL2, in particular, uses a real Linux kernel managed by Microsoft. If your WSL2 kernel is outdated, it may be vulnerable—especially if you've enabled Wi-Fi passthrough or are using a Wi-Fi adapter inside the VM for network testing. Moreover, network-attached Linux IoT devices, routers, and access points that support Wi-Fi 7 are almost certainly affected, and a compromised device on your network can serve as a pivot point for attacks on Windows machines. IT administrators managing mixed environments should treat this vulnerability with the same urgency as any local privilege escalation bug on Windows.

Beyond the immediate patch, CVE-2026-46125 underscores the challenges of securing next-generation wireless protocols. Wi-Fi 7's Multi-Link Operation adds significant complexity to both station and access point codebases. Every new feature surfaces corner cases that may not be caught during regular testing. The Linux kernel community's mac80211 maintainers have a strong track record of auditing and fixing such issues quickly, but the window of exposure still exists between upstream fixes and end-user deployment. For Windows, Microsoft's Wi-Fi stack is developed independently, with its own driver model (Native 802.11 for older drivers and the newer NetAdapterCx framework) and hardware abstraction. While specific mac80211 bugs do not directly affect Windows, similar logic errors can lurk in proprietary Wi-Fi drivers or the Windows TCP/IP stack. Historically, use-after-free vulnerabilities have plagued both platforms; recent examples include CVE-2023-35628 in the Windows Subsystem for Linux and CVE-2022-4378 in the Linux kernel. This new Wi-Fi 7 flaw is part of a broader pattern where evolving standards introduce fresh attack surface.

For system administrators and security researchers, the discovery process is instructive. The bug was found likely through fuzzing or manual code review of the MLO implementation, which is still relatively new in the kernel. The mac80211 debugfs interface, intended for diagnostics, inadvertently became an attack vector—a reminder that all kernel interfaces, even those gated behind root access, must be hardened. Linux distributions that disable debugfs in production builds (or require explicit remounting with debugfs off) may reduce the immediate exploitability, but other code paths could still trigger the stale station dereference during normal wireless operations.

What can you do right now? If you manage Linux systems with Wi-Fi 7 hardware, update your kernel to a version containing the fix. For mainstream distributions, this means upgrading to the latest stable kernel or applying the distributor's patch. Monitor your distro's security tracker (e.g., Ubuntu's USN, Red Hat's RHSA, Debian's DSA) for announcements referencing CVE-2026-46125. If you cannot patch immediately, consider disabling Wi-Fi 7 specific features by avoiding MLO-capable access points or using kernel module parameters to limit the number of links. For WSL2 users on Windows, check your WSL kernel version with wsl cat /proc/version and update via wsl --update if a newer kernel is available. For embedded devices like routers, wait for firmware updates from the vendor.

The timeline of the vulnerability shows that the upstream fix predates the NVD publication, which is typical. The Linux kernel's security team likely coordinated with the NVD to ensure patches were available before broad disclosure. However, some distros may lag, especially those with older kernel series or custom vendor kernels. The next few weeks will see a flurry of backported patches and increased scrutiny of mac80211 MLO handling.

CVE-2026-46125 serves as a stark reminder that cutting-edge wireless technology brings not just performance gains but also new security pitfalls. As Wi-Fi 7 enters the mainstream, both open-source and proprietary stacks will face similar growing pains. For Windows enthusiasts, staying informed about cross-platform vulnerabilities helps maintain a holistic security posture. Even if your desktop is fully patched, a vulnerable Linux access point can expose your entire network. So keep an eye on kernel updates, advocate for prompt patching in your organization, and remember that security is a shared responsibility across all operating systems.