CVE-2025-71127

MEDIUM EPSS 3.0%
Published Jan 14, 20265mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 14, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a targeted attack to get one of the associated STAs to do something (e.g., using CSA to move it to another channel). As such, it is better have strict filtering for this on the received side and discard all Beacon frames that are sent to an unexpected address. This is even more important for cases where beacon protection is used. The current implementation in mac80211 is correctly discarding unicast Beacon frames if the Protected Frame bit in the Frame Control field is set to 0. However, if that bit is set to 1, the logic used for checking for configured BIGTK(s) does not actually work. If the driver does not have logic for dropping unicast Beacon frames with Protected Frame bit 1, these frames would be accepted in mac80211 processing as valid Beacon frames even though they are not protected. This would allow beacon protection to be bypassed. While the logic for checking beacon protection could be extended to cover this corner case, a more generic check for discard all Beacon frames based on A1=unicast address covers this without needing additional changes. Address all these issues by dropping received Beacon frames if they are sent to a non-broadcast address.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 15

VendorProductVersionRange
linuxlinux_kernel*≥5.7.1  –  <5.10.248
linuxlinux_kernel*≥5.11  –  <5.15.198
linuxlinux_kernel*≥5.16  –  <6.1.160
linuxlinux_kernel*≥6.2  –  <6.6.120
linuxlinux_kernel*≥6.7  –  <6.12.65
linuxlinux_kernel*≥6.13  –  <6.18.4
linuxlinux_kernel5.7any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c
    Patch