When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed.
There was no shipped kernel version that was seen affected by this problem.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2134469]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):