Skip to main content

Linux Kernel wl1251 EUVDEUVD-2026-27635

| CVE-2026-43113 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-4c54-jj6j-3j34
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:28 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: wl1251: validate packet IDs before indexing tx_frames

wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it.

Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow.

AnalysisAI

Out-of-bounds array indexing in Linux kernel's wl1251 wireless driver allows adjacent network attackers to achieve high-impact memory corruption without authentication. The wl1251_tx_packet_cb() function uses untrusted firmware completion IDs directly to index a fixed 16-entry tx_frames array without bounds validation, enabling attackers on the same wireless network segment to read/write arbitrary kernel memory. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and no active exploitation or public POC identified. However, CVSS 8.8 reflects genuine risk for systems with wl1251 hardware on untrusted networks.

Technical ContextAI

The wl1251 is a legacy Texas Instruments WiFi chipset driver in the Linux kernel wireless subsystem. The vulnerability stems from improper input validation where firmware-supplied completion block data (a raw u8 packet ID field) is used directly as an array index without bounds checking. The wl->tx_frames[] array has exactly 16 entries, but firmware can supply ID values 0-255. When completion IDs exceed 15, the driver performs out-of-bounds reads/writes on kernel heap memory adjacent to the array structure. This is a classic example of trusting data from external hardware/firmware without establishing a trust boundary. The fix adds array bounds validation before dereferencing, rejecting IDs >= 16. CPE identifiers confirm this affects mainline Linux kernel code dating back to initial wl1251 driver introduction (commit 1da177e4c3f4), representing nearly two decades of latent vulnerability in this specific wireless chipset driver.

RemediationAI

Update to patched Linux kernel versions: 6.6.136 or later for 6.6.x LTS, 6.12.83+ for 6.12.x, 6.18.24+ for 6.18.x, 6.19.14+ for 6.19.x stable branches, or mainline 7.0+. Patches available from kernel.org stable tree (see git.kernel.org/stable/c/b6ba1eacf276063ebeefbbae8056043c24f2efaf and related commits). If immediate patching is not feasible, compensating controls include: disable wl1251 kernel module via modprobe blacklist (add 'blacklist wl1251' to /etc/modprobe.d/blacklist.conf) which prevents driver loading-acceptable if wl1251 is not required for operations but breaks WiFi functionality for affected hardware; restrict wireless network adjacency by isolating systems with wl1251 hardware to dedicated trusted VLANs with strict access controls-reduces attacker adjacency but adds network segmentation complexity; or physically disable/remove wl1251 wireless hardware if not operationally required. Module blacklisting is the most practical short-term mitigation but renders wireless unusable on affected systems. Kernel updates remain the definitive solution with no functional trade-offs.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy