CVE-2026-46152
A vulnerability in the Linux kernel's WiFi driver (mac80211) allows concurrent network packet processing threads to interfere with each other. The issue stems from a shared variable that should have been unique to each processing thread. When multiple packets arrive simultaneously, one thread's processing result can be overwritten by another, causing packets to be misrouted or incorrectly marked as already processed. This can lead to dropped packets, incorrect packet handling, or exposure of network data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-1058
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-30
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result.
12 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The ieee80211_invoke_fast_rx() function in mac80211 is designed to safely handle parallel RX operations, but declares its per-invocation rx_result variable as static, causing concurrent callers to share a single instance. This creates a race condition where threads can overwrite each other's result between the ieee80211_rx_mesh_data() call and the subsequent switch statement on res. A packet queued or consumed by ieee80211_rx_mesh_data() may fall through into ieee80211_rx_8023(), or a packet intended to continue processing may incorrectly return as queued. The fix converts res from static to an automatic variable, ensuring each invocation maintains its own result and eliminating the concurrency issue.
Business impact
This vulnerability affects the integrity and availability of network communications on Linux systems running affected kernel versions. Potential impacts include dropped wireless packets, corrupted packet routing, data exposure through mishandled packets, and denial of service conditions during high-traffic scenarios where concurrent packet processing is most likely. For organizations deploying Linux servers or edge devices with WiFi capabilities—particularly those handling sensitive network communications—this could result in service disruptions, data loss, or unintended information disclosure.
Affected systems
The Linux kernel is affected. This vulnerability impacts any Linux system running vulnerable versions of the kernel where the mac80211 wireless driver is compiled and active, particularly systems handling WiFi connectivity such as access points, embedded devices, routers, and servers with wireless interfaces. Desktop and laptop Linux systems with WiFi cards are also in scope.
Exploitability
Exploitation requires local network access (AV:A) but no privileges or user interaction. An attacker positioned on the same network (e.g., adjacent WiFi range) can trigger the race condition by sending specially timed concurrent packets to a target system. The low attack complexity (AC:L) and lack of authentication requirements make this readily exploitable by an attacker with basic network access. However, reliable exploitation may require timing precision to trigger the race condition consistently.
Remediation
Apply a kernel update from your Linux distribution that includes the fix converting the static rx_result variable to an automatic variable in ieee80211_invoke_fast_rx(). Verify the patch is included in your kernel version by checking the kernel changelog or advisory from your distribution maintainer. Users unable to immediately patch should consider disabling WiFi connectivity if not operationally critical, or isolating affected systems from untrusted networks.
Patch guidance
Contact your Linux distribution (Red Hat, Debian, Ubuntu, etc.) for patched kernel versions addressing this issue. The fix itself is straightforward—changing the rx_result variable declaration from static to automatic—so most distributions should have or quickly release updates. Verify the patch through your distribution's security advisory or kernel git history before deploying. Test patched kernels in non-production environments first to ensure compatibility with your hardware and workloads.
Detection guidance
Monitor kernel logs for unusual WiFi packet processing errors or packet drops that correlate with high concurrent RX traffic. Network monitoring tools can detect anomalous packet behavior such as unexpected packet duplication, loss, or misrouting on WiFi interfaces. However, detection is challenging without kernel instrumentation; consider enabling kernel debug logging temporarily in test environments to baseline normal behavior. System administrators should review system stability reports and packet loss metrics on affected systems to identify potential exploitation.
Why prioritize this
With a CVSS score of 8.8 (HIGH severity) and accessibility from the adjacent network without authentication, this vulnerability merits prompt patching. While not yet added to CISA's Known Exploited Vulnerabilities (KEV) catalog, the combination of high impact (confidentiality, integrity, availability all affected), low barrier to exploitation, and broad distribution across Linux deployments makes this a priority for near-term remediation. Organizations with WiFi-enabled Linux infrastructure should prioritize patching within their standard vulnerability management cadence.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects HIGH severity due to: (1) adjacent network attack vector requiring no privilege escalation or user interaction, (2) low attack complexity enabling reliable exploitation, (3) impact to all three security properties—confidentiality (packet data exposure), integrity (packet misrouting), and availability (packet drops or misprocessing). The score accurately captures the practical risk of a race condition in a widely-used kernel subsystem handling real-time network operations.
Frequently asked questions
Does this affect all Linux systems or only specific hardware?
Any Linux system running a vulnerable kernel version with the mac80211 WiFi driver compiled in is at risk. This includes servers, desktops, laptops, IoT devices, and edge appliances with WiFi capability. Check your kernel version against your distribution's security advisory to determine if you are affected.
Can this vulnerability be exploited remotely over the internet?
No. The attack vector is 'adjacent network' (AV:A), meaning an attacker must be on the same physical WiFi network or within WiFi range. It cannot be exploited remotely over the internet from an external network.
What are the practical consequences of successful exploitation?
An attacker can cause WiFi packets to be dropped, misrouted, duplicated, or exposed to unintended recipients. This may result in network service degradation, data loss, eavesdropping on wireless traffic, or denial of service conditions during concurrent packet processing scenarios.
Is there a workaround if I cannot patch immediately?
If patching is delayed, consider disabling WiFi if operationally feasible, physically isolating affected systems from untrusted networks, or restricting WiFi access to known, trusted devices only. However, these are temporary measures; patching remains the definitive remediation.
This analysis is provided for informational purposes to support vulnerability management and security decision-making. It is not a substitute for vendor advisories, security updates, or professional incident response services. Verify all technical claims, patch versions, and affected product lists against official Linux distribution security advisories and kernel releases before taking remedial action. SEC.co does not guarantee the completeness or accuracy of vulnerability intelligence and recommends independent validation of all remediation steps. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10001HIGH
CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGH
CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGH
CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGH
CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGH
CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGH
CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGH
CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGH
CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment