Skip to main content

Linux Kernel CVE-2026-46152

| EUVDEUVD-2026-32779 HIGH
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element (CWE-1058)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j32m-c4xq-vrpg
8.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:57 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 8.8
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: drop stray 'static' from fast-RX rx_result

ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.

That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.

Make res an automatic variable so each invocation keeps its own result.

AnalysisAI

Concurrency flaw in the Linux kernel's mac80211 WiFi subsystem (versions from 6.4 onward) can cause misrouted or dropped 802.11 frames on adjacent-network attacks. The bug stems from a stray static qualifier on the per-invocation rx_result in ieee80211_invoke_fast_rx(), which is documented as parallel-RX safe but in practice shares a single result variable across concurrent callers. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS rating of 8.8 reflects strong CIA impact under adjacent-network conditions.

Technical ContextAI

The vulnerability is in mac80211, the Linux kernel's soft-MAC framework that implements IEEE 802.11 handling for many WiFi drivers (mt76, ath9k/ath10k/ath11k, iwlwifi, rtw88, etc.). The fast-RX path (ieee80211_invoke_fast_rx) processes incoming 802.11 frames on a hot path and was designed to be re-entrant across CPUs. However, the per-call rx_result variable was incorrectly declared static, making it shared process-wide rather than stack-local. Concurrent receive paths can therefore overwrite each other's classification between ieee80211_rx_mesh_data() and the switch (res) dispatch, causing a frame queued/consumed by mesh handling to fall through into ieee80211_rx_8023() or vice versa. This is a classic data race / shared-state bug (CWE-362 / CWE-488 class - variable scope error leading to concurrent modification) rather than a memory-corruption primitive; no CWE was assigned in the input.

RemediationAI

Upgrade to a patched stable kernel: 6.6.140 or later on the 6.6.y series, 6.12.88 or later on 6.12.y, 6.18.30 or later on 6.18.y, 7.0.7 or later on 7.0.y, or 7.1-rc3+ on mainline, applying the fix that converts rx_result from static to an automatic stack variable in ieee80211_invoke_fast_rx() (commits at git.kernel.org/stable/c/3ef44f96ccc3e06e059dec57842e366f0c4b1893 and siblings). On distribution kernels, install the vendor-rebuilt package once the backport is available and reboot. As a temporary compensating control where patching is delayed, you can mitigate exposure by disabling 802.11 mesh interfaces (iw dev <iface> del for any type mesh interface) on systems that do not require mesh networking, or by unloading the mac80211 module / disabling WiFi entirely on appliances that do not need wireless - both eliminate the affected code path at the cost of losing mesh or WiFi functionality. Restricting which devices may associate to the WLAN (WPA3-SAE, MAC ACLs, isolated SSIDs) reduces who can deliver crafted frames but does not close the race itself.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46152 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy