Skip to main content

Linux Kernel CVE-2026-46122

| EUVDEUVD-2026-32881 HIGH
Improper Validation of Array Index (CWE-129)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pq22-w363-wp5p
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Local, firmware-dependent trigger raises AC:H; an out-of-bounds read yields memory disclosure (C:H) and possible crash (A:L) but no write, so I:N.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:01 vuln.today
CVSS changed
Jun 24, 2026 - 16:52 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

wifi: b43: enforce bounds check on firmware key index in b43_rx()

The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.

Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.

AnalysisAI

Out-of-bounds memory read in the Linux kernel's b43 Broadcom wireless driver allows leakage of adjacent kernel memory when the device firmware supplies a key index that exceeds the 58-entry dev->key[] array in b43_rx(). The pre-patch guard (B43_WARN_ON) is a no-op in production kernels, so the invalid index was used to index the array unchecked. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%); the fix enforces the bounds check and drops the offending frame.

Technical ContextAI

The flaw lives in the in-tree b43 driver (drivers/net/wireless/broadcom/b43), which supports legacy Broadcom 43xx 802.11 chipsets. During receive processing, b43_rx() reads a hardware/firmware-provided key index that is meant to map into the driver's dev->key[] table of 58 hardware cryptographic key slots. The root cause maps to CWE-129 (Improper Validation of Array Index): the value originating from firmware was trusted and used as an array subscript while the only sanity check, B43_WARN_ON, compiles to nothing in production builds, permitting a read past the end of the array. CPE data scopes this to cpe:2.3:o:linux:linux_kernel across multiple branches up to the 7.1-rc series.

RemediationAI

Vendor-released patch: update to a fixed Linux kernel - 6.6.140, 6.12.88, 7.0.7, 6.18.30, or 7.1-rc3 (or later) - via your distribution's kernel update channel; the fix makes the key-index bounds check enforcing and drops frames with an invalid index. The upstream fix is available as kernel stable commits (e.g. https://git.kernel.org/stable/c/1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14); see https://nvd.nist.gov/vuln/detail/CVE-2026-46122 for the reference set. If you cannot patch immediately, a low-cost compensating control is to disable/unload the b43 module on hosts that do not need legacy Broadcom Wi-Fi (e.g. blacklist b43 in modprobe), which fully removes the attack surface but disables that wireless adapter; on devices that depend on it, restrict physical/local access since the vector is local. Avoid loading untrusted or modified firmware for the adapter.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46122 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy