Skip to main content

Linux Kernel EUVDEUVD-2026-32790

| CVE-2026-46163 HIGH
Improper Validation of Array Index (CWE-129)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-2qq4-4rxx-pjhm
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.3 MEDIUM

Local low-priv access plus attacker-influenced firmware key index makes AC:H; primitive is an OOB read so C:H, with I:N and only A:L for potential kernel instability.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:23 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

wifi: b43legacy: enforce bounds check on firmware key index in RX path

Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].

Make the check enforcing by dropping the frame for invalid indices.

AnalysisAI

Out-of-bounds read in the Linux kernel's b43legacy wireless driver allows a local attacker with low privileges to read beyond the dev->key[] array when firmware reports a key index exceeding dev->max_nr_keys. The existing B43legacy_WARN_ON check was non-enforcing in production builds, permitting memory disclosure during RX packet handling on systems with vulnerable Broadcom legacy WiFi chipsets. No public exploit identified at time of analysis, and EPSS is very low (0.02%), suggesting limited near-term mass exploitation despite a high CVSS of 7.8.

Technical ContextAI

The b43legacy driver supports older Broadcom 802.11b/g wireless chipsets in the Linux kernel. Within the RX path, b43legacy_rx() reads a per-frame key index that originates from the firmware to look up the matching cryptographic key in the dev->key[] array. CWE-129 (Improper Validation of Array Index) applies because the prior B43legacy_WARN_ON macro only emitted a diagnostic in debug builds and did not actually prevent the lookup when the index exceeded dev->max_nr_keys, allowing an out-of-bounds array read. The fix enforces the bounds check and drops frames carrying invalid indices, mirroring an earlier fix applied to the non-legacy b43 driver.

RemediationAI

Vendor-released patch: update to Linux kernel 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or later) depending on your maintained branch, with upstream commits available at https://git.kernel.org/stable/c/1baaeb6adecb9691748c0253dab6ddd19a2b4e9e, https://git.kernel.org/stable/c/6ee946077607d7783ae6709a899213fc4fe08f35, https://git.kernel.org/stable/c/9d1bc155802943e92c57a5fb923d23edfbf0b525, https://git.kernel.org/stable/c/a035766f970bde2d4298346a31a80685be5c0205, https://git.kernel.org/stable/c/fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5, https://git.kernel.org/stable/c/4242db36de99de734cc1f60e5edd86cda7e598c6, https://git.kernel.org/stable/c/a92bd0503df2488f2cc040f329ebccff1c1934cb, and https://git.kernel.org/stable/c/df805c1d085b7a96077f0964185764c87060950d, then consume the rebuilt kernel via your distribution channel. As a compensating control on systems where patching is delayed, blacklist the b43legacy module via /etc/modprobe.d (install b43legacy /bin/true) - this removes the attack surface entirely but disables connectivity for legacy Broadcom 802.11b/g radios; an alternative is to disable the wireless interface (rfkill block wifi or ifconfig down) on hosts that do not require it. There is no runtime configuration workaround inside the driver itself.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy