diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index c1c117fdf318..a529861256e6 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1289,6 +1289,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
 	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
 		if (elem->datalen < 2)
 			continue;
+		if (elem->data[0] < 1 || elem->data[0] > 8)
+			continue;
 
 		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
 			u8 new_bssid[ETH_ALEN];
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index b91185f4561b..e0dd0249d026 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1582,6 +1582,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
 	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
 		if (elem->datalen < 4)
 			continue;
+		if (elem->data[0] < 1 || (int)elem->data[0] > 8)
+			continue;
 		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
 			u8 profile_len;