Skip to main content

Linux Kernel CVE-2026-46180

| EUVDEUVD-2026-32807 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-jmx9-9wwr-m2r4
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local attacker with low privileges must win a narrow kthread teardown race (AC:H), and a successful UAF on a kernel task_struct yields full C/I/A impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 05:11 vuln.today
CVSS changed
Jun 11, 2026 - 03:07 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task

Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().

AnalysisAI

Local privilege escalation risk in the Linux kernel's brcmfmac Broadcom FullMAC Wi-Fi driver stems from a use-after-free in the watchdog kthread teardown path, where the watchdog task can exit between send_sig() and kthread_stop(), leaving stale memory accessible. Successful exploitation by a local low-privileged attacker who can trigger driver teardown could yield kernel memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). No public exploit identified at time of analysis and EPSS is very low (0.02%), suggesting limited near-term exploitation interest.

Technical ContextAI

The flaw lives in drivers/net/wireless/broadcom/brcm80211/brcmfmac, the open-source FullMAC driver for many Broadcom Wi-Fi chipsets used in laptops, embedded boards, and Raspberry Pi devices. brcmfmac runs a watchdog kthread that monitors device health; on teardown the driver signals the thread via send_sig() and then calls kthread_stop(). If the thread completes and is freed in the window between those two calls, kthread_stop() dereferences a freed task_struct - a classic CWE-416 use-after-free against kernel memory. The fix raises the task reference count before send_sig() and uses kthread_stop_put() to drop it safely. Affected CPEs are cpe:2.3:o:linux:linux_kernel across the 3.3-to-7.1-rc2 range, indicating the bug has existed in mainline since commit a9ffda88be74 was introduced.

RemediationAI

Vendor-released patches are available: upgrade to Linux kernel 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or later in each series), corresponding to stable commits at https://git.kernel.org/stable/c/658d2e46c2e9a8eb9b80c5e803ce3c89885b3366, https://git.kernel.org/stable/c/908b92231e1ded53e43fcfad5e0704d83e1b803c, https://git.kernel.org/stable/c/c623b63580880cc742255eaed3d79804c1b91143, https://git.kernel.org/stable/c/d16827cb1d3936f7627d0da6044483f743ebde03, and https://git.kernel.org/stable/c/ed4168d1a50fef5be8eca947fbbf05a28507d265, and consume the distro update once your vendor backports. If you cannot patch immediately, a workable compensating control is to unload and blacklist the brcmfmac module (echo 'blacklist brcmfmac' > /etc/modprobe.d/brcmfmac.conf and rmmod brcmfmac) on systems that do not require Broadcom FullMAC Wi-Fi - the trade-off is loss of Wi-Fi on affected Broadcom chipsets, which is unacceptable on laptops but typically fine on servers and many embedded deployments. As a secondary control, restrict local untrusted users and tighten CAP_NET_ADMIN so non-root accounts cannot trigger driver bring-up/teardown that races the watchdog kthread.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy