Skip to main content

Linux Kernel iwlwifi CVE-2026-43172

| EUVDEUVD-2026-27735 HIGH
2026-05-06 Linux GHSA-g3v6-g863-2542
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:33 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: fix 22000 series SMEM parsing

If the firmware were to report three LMACs (which doesn't exist in hardware) then using "fwrt->smem_cfg.lmac[2]" is an overrun of the array. Reject such and use IWL_FW_CHECK instead of WARN_ON in this function.

AnalysisAI

Array bounds overflow in Linux kernel iwlwifi driver for Intel 22000 series wireless chipsets allows adjacent network attackers to achieve arbitrary memory corruption leading to code execution, privilege escalation, or denial of service. The vulnerability stems from insufficient validation of firmware-reported LMAC (Lower MAC) counts in SMEM parsing code, where malicious or corrupted firmware reporting three LMACs (exceeding the hardware-supported two) triggers out-of-bounds array access in fwrt->smem_cfg.lmac[2]. Patches available for kernel 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploits or CISA KEV listing, but CVSS 8.8 reflects high impact if exploited through compromised WiFi firmware or adjacent network position.

Technical ContextAI

The iwlwifi driver manages Intel wireless chipsets in the Linux kernel, specifically handling firmware interaction and shared memory (SMEM) configuration for 22000 series devices. The vulnerability exists in SMEM parsing logic where the driver reads firmware-reported LMAC (Lower MAC layer) configuration data into a fixed-size array. Intel 22000 series hardware architecturally supports only two LMACs, but the code lacked bounds checking before accessing fwrt->smem_cfg.lmac[index]. When firmware reports three or more LMACs, the driver attempts out-of-bounds array access, potentially corrupting adjacent kernel memory structures. The fix replaces weak WARN_ON assertions with IWL_FW_CHECK validation that explicitly rejects invalid LMAC counts, preventing array overruns. This is a classic buffer overflow scenario (similar to CWE-119/787) triggered by untrusted input from firmware, which sits at a privileged position in the driver trust boundary.

RemediationAI

Apply vendor-provided kernel updates incorporating upstream fixes: upgrade to Linux kernel 6.18.16+ for 6.18.x series (commit 58192b9ce09b), 6.19.6+ for 6.19.x series (commit 2b4b1510aaaf), or 7.0+ for mainline (commit 1d49a42717bd). Patches available at https://git.kernel.org/stable/c/58192b9ce09b0f0f86e2036683bd542130b91a98 (6.18), https://git.kernel.org/stable/c/2b4b1510aaaf5b9fb57327ecffc20c055f61f205 (6.19), and https://git.kernel.org/stable/c/1d49a42717bdc8de77eabeb5b7d3e88d141ffea9 (mainline). Distribution-specific updates: monitor security advisories from your Linux vendor (RHSA, USN, DSA, SUSE-SU) for kernel packages. If immediate patching is infeasible, compensating controls include: disabling iwlwifi driver module via modprobe blacklist (breaks WiFi functionality on affected Intel hardware - acceptable only for wired-only systems), restricting physical access to prevent firmware modification, implementing 802.1X network access control to limit adjacent network exposure (reduces attack surface but does not eliminate risk from authenticated adjacent users), or replacing affected Intel WiFi hardware with alternative chipsets. Note that disabling the driver is the only technical control that fully mitigates but renders WiFi unusable. Runtime kernel integrity monitoring (e.g., SELinux, AppArmor in enforcing mode) provides post-exploit detection but does not prevent the initial memory corruption.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43172 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy