CVE-2026-46122
A flaw exists in the Linux kernel's b43 wireless driver that can allow a local attacker to read memory outside the bounds of an internal array. The issue stems from insufficient validation of a firmware-supplied index value used to access encryption keys. When the firmware provides an invalid index—one larger than the 58-entry key array—the driver does not properly reject it in production systems, leading to an out-of-bounds read. An attacker with local system access could exploit this to leak sensitive kernel memory.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-129
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-24
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: b43: enforce bounds check on firmware key index in b43_rx() The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read. Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46122 is an out-of-bounds read vulnerability in the b43 Broadcom wireless driver within the Linux kernel. The vulnerable code path is in the b43_rx() function, which processes received frames and retrieves encryption keys using a firmware-controlled index. The dev->key[] array has a fixed size of 58 entries. The original code contained a B43_WARN_ON() macro to detect out-of-range indices, but this macro is non-enforcing in production kernel builds—it only logs a warning and permits execution to continue. An attacker controlling firmware behavior (or emulating a malicious device) can cause the driver to access memory beyond the array bounds. The fix makes the bounds check enforcing: frames with invalid key indices are dropped rather than processed. This aligns with CWE-129 (Improper Validation of Array Index).
Business impact
This vulnerability allows local users to read kernel memory on affected systems, potentially exposing cryptographic keys, session tokens, or other sensitive data. The confidentiality impact is significant—a successful read can disclose information that would otherwise require elevated privileges to access. While the attack requires local access and standard user privileges, the leaked data could enable privilege escalation or lateral movement. Organizations running affected kernel versions on systems accessible to untrusted users face increased risk of data exfiltration and credential compromise.
Affected systems
The vulnerability affects the Linux kernel, specifically systems running versions that include the b43 wireless driver without the fix. The b43 driver supports Broadcom IEEE 802.11b/g wireless devices. Any Linux distribution kernel prior to the patch is affected; specific patched versions should be verified against your distribution's security advisories. Both server and desktop/laptop systems with Broadcom wireless hardware are in scope.
Exploitability
Exploitation requires local system access and standard user privileges (no root or administrator account needed). The attacker must interact with the b43 driver, typically by triggering wireless frame reception in a controlled manner. While a kernel crash is possible if uninitialized memory is dereferenced, the primary risk is reliable memory disclosure. The attack is not remotely exploitable; physical proximity or prior compromise is required. No active exploitation has been reported in the wild, and this vulnerability is not tracked in the CISA Known Exploited Vulnerabilities catalog.
Remediation
Apply a kernel patch that enforces the key index bounds check in b43_rx(). Rather than issuing a non-enforcing warning, the patched driver will drop frames with invalid firmware-supplied indices, preventing the out-of-bounds read. Administrators should update to a patched kernel version provided by their Linux distribution and reboot affected systems. The fix is small and low-risk, requiring only the tightening of a bounds-check condition.
Patch guidance
Consult your Linux distribution's security advisory for the specific patched kernel version. Most major distributions (Ubuntu, Debian, Red Hat, SUSE, etc.) release kernel updates through their standard package management systems. On systems using a Broadcom b43 wireless adapter, prioritize applying the kernel update at the next convenient maintenance window, followed by a reboot. If you maintain a custom kernel, backport the fix from the upstream Linux kernel repository using the patch from the commit that resolves this CVE. Verify the patch has been applied by checking your kernel version against the distribution's advisory.
Detection guidance
Monitor kernel logs for B43_WARN_ON messages related to invalid key indices, which may indicate exploit attempts on unpatched systems. Enable audit logging for system calls that could access wireless driver ioctl interfaces. Network-based detection is not practical since the vulnerability lies in local driver operation; focus on host-based indicators such as unexpected memory access patterns or driver crashes. After patching, frame drops with invalid indices are normal and expected; no alerting on these is needed.
Why prioritize this
This vulnerability merits prompt patching despite the local-access requirement. The CVSS score of 7.8 (HIGH) reflects the combination of local attack complexity, standard user privileges, and significant confidentiality impact. Memory disclosure vulnerabilities are particularly dangerous in security-critical environments where kernel memory may contain cryptographic material or session keys. Organizations should treat this as a standard-priority security update but not as an emergency—remote attackers cannot exploit it directly.
Risk score, explained
The CVSS 3.1 score of 7.8 is driven by: Attack Vector (Local)—local access required; Attack Complexity (Low)—straightforward to trigger once on the system; Privileges Required (Low)—no admin needed; User Interaction (None)—automatic upon malicious frame receipt; and high Confidentiality impact (complete information disclosure). The Integrity and Availability impacts are also rated High, as memory corruption and crashes are possible, but the primary concern is information leakage.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The attack requires local system access and the ability to interact with the wireless driver. Remote attackers cannot exploit it directly; however, if a system is already compromised via another vector, this flaw becomes an avenue for privilege escalation or in-memory credential theft.
Which wireless hardware is affected?
Systems with Broadcom IEEE 802.11b/g wireless adapters using the b43 driver are vulnerable. If your Linux system uses a different wireless driver (such as ath9k, iwlwifi, or rtl8723bs), this CVE does not apply. You can check your wireless driver with the command 'lspci | grep -i network' and then identify the loaded kernel module.
Is this flaw exploited in the wild?
No. As of the publication date, there is no evidence of active exploitation in the wild, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the vulnerability is well-understood and proof-of-concept code could feasibly be developed, so prompt patching is prudent.
Will the patch impact wireless performance or stability?
No. The patch simply adds enforcement to an existing bounds check—it drops a small number of malformed frames that the driver should never encounter in normal operation. Users should see no performance degradation or stability issues after applying the patch.
This analysis is provided for informational purposes. CVSS scores and vulnerability classifications are based on published vendor advisories and may change as new information emerges. Organizations must validate patch applicability within their own environment and test patches before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of this information and recommends consulting official vendor security advisories for the most current guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46163HIGH
CVE-2026-46163: Linux b43legacy Out-of-Bounds Read in Wireless RX Path
- CVE-2026-10001HIGH
CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGH
CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGH
CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGH
CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGH
CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGH
CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGH
CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)