Skip to main content

Linux Kernel CVE-2026-46187

| EUVDEUVD-2026-32814 MEDIUM
Race Condition (CWE-362)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-qcf3-qg3w-g99p
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local-only kthread race in WiFi driver requires low-privilege access and precise scheduler timing (AC:H); only kernel crash availability impact applies, with no confidentiality or integrity path.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 11, 2026 - 03:11 vuln.today
CVSS changed
Jun 11, 2026 - 03:07 NVD
4.7 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

wifi: rsi: fix kthread lifetime race between self-exit and external-stop

RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur.

However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again.

Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.

AnalysisAI

Use-after-free in the Linux kernel's RSI (Redpine Signals) WiFi driver allows a local low-privileged attacker to crash the kernel by exploiting a race condition between kthread self-exit and external stop operations. When kthread_complete_and_exit races ahead of kthread_stop, the already-freed task struct is dereferenced, causing a kernel denial of service. No public exploit has been identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability; the vulnerability is not listed in CISA KEV.

Technical ContextAI

The flaw resides in the RSI WiFi driver (drivers/net/wireless/rsi) within the Linux kernel's wireless subsystem. CWE-362 (Race Condition) accurately describes the root cause: a TOCTOU-style lifecycle management bug in kthread coordination. The driver uses both kthread_complete_and_exit() for self-termination and kthread_stop() for external teardown. When the kthread self-exits first and its task struct is freed by the scheduler, a subsequent kthread_stop() call dereferences that freed memory - a classic use-after-free. The upstream fix removes the kthread_stop() call entirely, replacing it with a completion-wait mechanism. CPE data confirms the affected product is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across a wide range of stable branches, with the flaw traceable to commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473.

RemediationAI

Upgrade to a patched Linux kernel version: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3, as appropriate for the deployed stable branch. Individual stable-branch fix commits are available at https://git.kernel.org/stable/c/16d9f674c619838bdeae42abc0929c9c5477ea1f, https://git.kernel.org/stable/c/4f4c9b13c485abd0a2d2c97f9db339d1dd8e147f, https://git.kernel.org/stable/c/95fcb436586dc3c2983537d557ac05bbc6a027f3, https://git.kernel.org/stable/c/db57a1aa54ff68669781976e4edb045e09e2b65b, and https://git.kernel.org/stable/c/4f9a4ae8d2c198f01611ea376034c326ef43ab56. If patching is not immediately feasible and the system does not rely on RSI (Redpine Signals) WiFi hardware, blacklisting the rsi_usb and rsi_sdio kernel modules via /etc/modprobe.d/blacklist-rsi.conf eliminates the attack surface entirely with no side effects on systems without this hardware. This workaround has no impact on other wireless drivers or kernel functionality.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46187 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy