CVE-2026-46163
A flaw exists in the Linux kernel's b43legacy wireless driver that fails to properly validate array index bounds when processing incoming wireless frames. The firmware supplies a key index value that the driver uses to access a cryptographic key array, but there is no enforcing check to ensure this index stays within valid bounds. In production builds, this allows an attacker with local access to trigger an out-of-bounds memory read by crafting malicious wireless traffic, potentially exposing sensitive kernel memory or causing a system crash.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-129
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: b43legacy: enforce bounds check on firmware key index in RX path Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[]. Make the check enforcing by dropping the frame for invalid indices.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46163 is an out-of-bounds read vulnerability (CWE-129) in the Linux kernel's b43legacy wireless driver. The vulnerability occurs in the RX path when processing received frames. The driver accepts a firmware-controlled key index without enforcing bounds validation against dev->max_nr_keys. While a B43legacy_WARN_ON macro exists, it is non-enforcing in production kernel builds, permitting out-of-bounds access to the dev->key[] array. The fix involves converting the warning into an enforcing check that drops frames with invalid key indices, preventing the out-of-bounds read.
Business impact
Organizations running Linux systems with b43legacy wireless hardware (legacy Broadcom 43xx devices) face elevated risk of information disclosure or denial of service. An authenticated local attacker could exploit this to read sensitive kernel memory or trigger a kernel panic. For environments relying on these older wireless adapters—common in legacy embedded systems, IoT deployments, or specialized industrial equipment—this vulnerability could compromise system confidentiality and availability. The impact is limited to local attackers, reducing risk in purely remote or air-gapped scenarios.
Affected systems
The Linux kernel across multiple versions is affected, specifically systems using the b43legacy driver for Broadcom 43xx wireless devices. This driver is typically found on older or legacy systems; modern Broadcom wireless hardware uses different drivers. The vulnerability affects any Linux distribution and architecture running an unpatched kernel with b43legacy compiled in or loaded as a module. Check your kernel configuration (e.g., grep CONFIG_B43LEGACY /boot/config-*) and loaded modules (lsmod | grep b43legacy) to determine exposure.
Exploitability
Exploitation requires local access and user-level or higher privileges on the target system. An attacker must craft wireless frames with an out-of-bounds key index value; depending on the target's wireless environment and driver interaction patterns, this may require the attacker to be within wireless range or already present on the system. The attack does not require special tools beyond standard wireless utilities and does not depend on user interaction. However, the practical exploitability varies: in isolated or secured wireless environments, the risk is lower; in open or hostile networks, it is higher. CVSS assigns this a score of 7.8 (HIGH) due to the combination of local access requirement and the severity of the information disclosure and availability impact.
Remediation
Apply a patched Linux kernel version that includes the fix to b43legacy_rx() enforcing bounds validation on the firmware-controlled key index. Verify the patch against your Linux distribution's advisory; patch version numbers vary across distributions. As an interim measure, systems that do not require b43legacy wireless support should disable the driver via kernel configuration or module blacklist. For systems requiring the driver, isolation measures (restricting local access, disabling wireless if not in use) reduce attack surface while awaiting patches.
Patch guidance
Contact your Linux distribution's security advisory for the specific patched kernel version addressing CVE-2026-46163. Major distributions (Red Hat, Ubuntu, Debian, etc.) will release updates; check your system's package manager for kernel updates and apply them according to your change management process. The underlying fix is simple (enforcing the bounds check) and should be low-risk; however, test in a non-production environment first. For custom or self-managed kernels, apply the upstream Linux kernel patch that converts the B43legacy_WARN_ON check into an enforcing drop-frame condition.
Detection guidance
Monitor kernel logs and dmesg for b43legacy driver warnings or errors related to invalid key indices. Systems with CONFIG_DEBUG_KERNEL or enhanced logging may emit earlier warnings before this fix was applied. Network-based detection is challenging since the vulnerability is triggered by malformed wireless frames that the vulnerable driver processes; wireless intrusion detection systems (WIDS) may flag unusual key index patterns if configured to monitor driver-level frame handling. Host-based detection focuses on kernel crash dumps (kernel panics or oops messages) and unexplained denial of service events on systems with b43legacy hardware.
Why prioritize this
This vulnerability warrants prompt but measured prioritization. Although the CVSS score is HIGH (7.8), the requirement for local access significantly narrows the threat scope compared to remote exploits. Systems in trusted environments with restricted local access face lower immediate risk. However, multi-tenant systems, public-access devices, or systems in hostile networks should prioritize patching. The age and legacy nature of b43legacy hardware means many affected systems may already be out of support; organizations should audit which systems actually depend on this driver and focus patches on those with active usage.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: Local Attack Vector (AV:L)—requires attacker presence on the system; Low Attack Complexity (AC:L)—no special conditions needed; Low Privileges (PR:L)—authenticated user access sufficient; No User Interaction (UI:N)—automatic exploitation possible; Unchanged Scope (S:U)—impact limited to the vulnerable system; High Confidentiality (C:H)—out-of-bounds read exposes kernel memory; High Integrity (I:H)—potential for memory corruption; High Availability (A:H)—denial of service via kernel panic. The local-only requirement prevents a critical rating despite the severe impact.
Frequently asked questions
Does this vulnerability affect my system?
Only if your Linux kernel has b43legacy compiled in or loaded as a module AND you have legacy Broadcom 43xx wireless hardware. Modern Broadcom devices use different drivers. Run lsmod | grep b43legacy and check your kernel config; if neither shows b43legacy, you are not affected.
Can this be exploited remotely?
No. Exploitation requires local access to the system (user-level or higher). Remote attackers cannot directly trigger this vulnerability. However, if an attacker gains local access through another means, this vulnerability could be a secondary exploitation vector.
What is the actual impact if exploited?
An attacker can read sensitive kernel memory (confidentiality breach) or cause the kernel to panic and crash the system (denial of service). In rare cases, memory corruption could potentially be leveraged for further privilege escalation, though that would require additional exploits.
Should I disable b43legacy if I do not use it?
Yes. If your system does not require legacy Broadcom wireless support, blacklist or disable the driver to eliminate the attack surface. This is the safest interim mitigation pending patching.
This analysis is provided for informational purposes and based on published vulnerability data as of the date of publication. Specific patch availability, version numbers, and timelines vary by Linux distribution; consult your vendor's security advisory for authoritative guidance. No exploit code or weaponized proof-of-concept is provided herein. Organizations should conduct their own risk assessment based on their environment, asset inventory, and security posture. Immediate action is not required for systems without b43legacy hardware or in fully isolated environments, but patches should be applied in accordance with your change management and patching policies once available. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46122HIGH
CVE-2026-46122: Linux b43 Wireless Driver Out-of-Bounds Read Memory Disclosure
- CVE-2026-10001HIGH
CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGH
CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGH
CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGH
CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGH
CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGH
CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGH
CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)