Skip to main content

Linux kernel brcmfmac EUVDEUVD-2026-27630

| CVE-2026-43110 HIGH
2026-05-06 Linux
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:27 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: validate bsscfg indices in IF events

brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check.

Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array.

[add missing wifi prefix]

AnalysisAI

Adjacent network attackers can achieve remote code execution, information disclosure, or denial of service against Linux systems using Broadcom FullMAC wireless drivers by sending malicious WiFi interface events with out-of-bounds bsscfg indices. The brcmfmac driver's firmware event handler fails to validate array indices before accessing the driver's interface list, enabling memory corruption attacks. Vendor patches are available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile) and no active exploitation or public POC is identified at time of analysis, but the adjacent network attack vector and high impact warrant priority patching for systems with Broadcom WiFi hardware.

Technical ContextAI

The vulnerability exists in the Linux kernel's brcmfmac driver (drivers/net/wireless/broadcom/brcmfmac/), which implements the FullMAC firmware interface for Broadcom WiFi chipsets. The brcmf_fweh_handle_if_event() function processes interface events from firmware and validates the ifidx parameter before accessing drvr->iflist[], but fails to perform equivalent bounds checking on the bsscfgidx field before using it as an array index. This creates a classic out-of-bounds array access vulnerability where attacker-controlled firmware event data can index beyond allocated memory. The driver maintains per-interface state in drvr->iflist[], and the bsscfgidx field from firmware events is used to look up corresponding interface configurations. Without validation, malicious or malformed events can cause writes or reads to arbitrary kernel memory addresses, leading to memory corruption. This affects all Linux kernel versions from the driver's introduction (commit 1da177e4c3f4) until the patches were applied in stable branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and mainline 7.0.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.136 or later for the 6.6.x stable branch, 6.12.83 or later for 6.12.x, 6.18.24 or later for 6.18.x, 6.19.14 or later for 6.19.x, or 7.0 for mainline kernel. The fix adds bsscfgidx validation in brcmf_fweh_handle_if_event() before array indexing. Specific patch commits are available at https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d (6.6.x), https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e (6.12.x), https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6 (6.18.x), https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb (6.19.x), and https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d (7.0). If immediate patching is not feasible, disable the brcmfmac driver using 'modprobe -r brcmfmac' and use alternative wired networking or different wireless drivers, though this eliminates WiFi functionality on affected Broadcom hardware. Network segmentation to restrict adjacent network access provides limited defense-in-depth but cannot fully mitigate the vulnerability since legitimate WiFi clients have adjacent access by design. No kernel module parameters or configuration changes can mitigate this flaw without disabling the driver entirely.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy