Skip to main content

Linux Kernel CVE-2026-46307

| EUVDEUVD-2026-35172 HIGH
Out-of-bounds Read (CWE-125)
2026-06-08 Linux GHSA-qrx4-q7hg-2xx2
8.3
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.3 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
4.2 MEDIUM

Adjacent Wi-Fi vector; high complexity to force ts_final_idx=3 on AR5212; no auth; only a fixed -1 overwrites ack_signal, so C:N and only low integrity/availability impact.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
SUSE
4.3 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:29 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
8.3 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 cve.org
HIGH 8.3
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath5k: do not access array OOB

Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0

It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus.

Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES).

Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal.

AnalysisAI

Out-of-bounds array write in the Linux kernel's ath5k wireless driver allows a stray write of a -1 sentinel value into adjacent struct memory when ts_final_idx reaches 3 on Atheros 5212 chipsets. The kernel maintainers and the original reporter explicitly describe the impact as negligible, as the only field overwritten is info->status.ack_signal, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile).

Technical ContextAI

The bug lives in drivers/net/wireless/ath/ath5k/base.c around line 1741, where ath5k_tasklet_tx writes info->status.rates[ts->ts_final_idx + 1].idx = -1 as a sentinel for mac80211. The rates array is sized IEEE80211_TX_MAX_RATES (4), but on AR5212 hardware ts_final_idx can equal 3, making the +1 index write land one element past the end and clobber the adjacent ack_signal member of struct ieee80211_tx_info.status. This is a classic off-by-one OOB write detected by UBSAN; CWE is not assigned but the pattern aligns with CWE-787 (out-of-bounds write). The affected component is the legacy ath5k driver bound to Atheros 5xxx-series 802.11a/b/g chipsets per the linux:linux CPEs.

RemediationAI

Vendor-released patch available: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, or the 7.1-rc3 mainline - using the corresponding stable-tree commits at https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e and the parallel stable backports listed in the references. For systems that cannot be rebooted promptly, an effective compensating control is to blacklist the ath5k module (echo 'blacklist ath5k' > /etc/modprobe.d/ath5k.conf and rmmod ath5k) on hosts that do not actually need AR5xxx Wi-Fi - the trade-off is loss of wireless connectivity on those legacy adapters. Disabling the affected interface (ip link set wlanX down) also prevents the tasklet path from running but leaves the module loaded and breaks any Wi-Fi use of that NIC. Vendor advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-46307.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy