HIGH 7.8

CVE-2026-46180: Linux brcmfmac Watchdog Use-After-Free Local Privilege Escalation

A use-after-free vulnerability exists in the Linux kernel's Broadcom Wi-Fi driver (brcmfmac) watchdog task shutdown logic. When the kernel stops the watchdog task, a race condition can occur where the task terminates between two function calls, leaving dangling references that code attempts to access. An attacker with local access can exploit this timing weakness to crash the system or potentially execute code with elevated privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
3 configuration(s)
Published / Modified
2026-05-28 / 2026-06-19

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put().

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46180 is a use-after-free (CWE-416) flaw in the brcmfmac Wi-Fi driver's watchdog thread termination sequence. The vulnerability arises from insufficient reference counting when signaling and stopping the watchdog task. Specifically, send_sig() is called without holding a reference to the watchdog task, creating a window where the task can be freed before kthread_stop() executes. The fix involves incrementing the task reference count before send_sig() and using kthread_stop_put() to atomically decrement the reference and halt the thread, eliminating the race condition.

Business impact

Systems relying on Broadcom Wi-Fi adapters with the vulnerable brcmfmac driver face kernel stability risks and potential privilege escalation. Compromised systems could experience unplanned downtime from kernel crashes or unauthorized code execution. For organizations with Linux-based network infrastructure, edge devices, or embedded systems using affected Wi-Fi hardware, this vulnerability warrants prioritized patching to maintain operational continuity and security posture.

Affected systems

The Linux kernel is affected across versions prior to the fix. Any system running a vulnerable kernel build with the brcmfmac driver compiled in or loaded as a module is at risk. This includes servers, desktops, laptops, and embedded systems using Broadcom Wi-Fi hardware (such as BCM4356, BCM4358, or other brcmfmac-supported chipsets). Verify your kernel version and driver configuration against the Linux project's official advisory.

Exploitability

Exploitation requires local system access and the ability to trigger watchdog task shutdown conditions, typically through power management events or explicit driver unload sequences. The vulnerability is not remotely exploitable without first obtaining local privileges. However, the race condition window is reliable enough that repeated attempts are likely to succeed, making this a practical attack vector for local privilege escalation scenarios.

Remediation

Apply kernel updates containing the watchdog task reference counting fix. Verify the applied kernel version against the Linux kernel stable release notes or your distribution's security advisory. As an interim measure, systems without immediate patching capability should restrict local user access and disable Wi-Fi driver unloading where operationally feasible.

Patch guidance

Consult your Linux distribution's security advisories and kernel release notes for specific patched versions. Major distributions (Red Hat, Debian, Ubuntu, SUSE, etc.) typically release kernel security updates through their standard patch channels. Verify the fix commit resolves the brcmfmac watchdog reference counting issue before deploying. Test kernel updates in a non-production environment to confirm Wi-Fi driver stability post-patch.

Detection guidance

Monitor kernel logs for watchdog-related errors, use-after-free warnings, or brcmfmac driver crashes following power state transitions or driver reload events. Use kernel debugging tools (e.g., kasan if enabled) to detect memory access violations. Endpoint detection and response (EDR) solutions should flag unexpected kernel crashes correlated with Wi-Fi device events. Review kernel version and driver compilation state across your fleet to identify affected systems.

Why prioritize this

This vulnerability merits high priority due to its CVSS 7.8 (HIGH) score reflecting local privilege escalation potential, direct impact on kernel stability, and widespread presence in Linux distributions. The fix is straightforward and available, reducing remediation friction. Prioritize systems with untrusted local users, shared compute resources, or edge deployments relying on Broadcom Wi-Fi hardware.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects a high-severity local attack requiring user-level privileges but no user interaction. The attack vector is local, attack complexity is low, and the impact spans confidentiality, integrity, and availability—enabling both crash and privilege escalation scenarios. This score appropriately captures the practical risk to multi-user systems and containerized environments where kernel exploitation directly undermines isolation.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-46180 requires local system access to trigger watchdog task termination. Remote exploitation is not possible without first compromising a local user account or service running on the affected system.

Are all Linux systems affected?

Only systems running the Linux kernel with the brcmfmac Wi-Fi driver enabled are affected. Check your kernel configuration and driver modules. Systems without Broadcom Wi-Fi hardware or those using alternative drivers are not impacted.

What is the recommended action timeline?

Given the HIGH CVSS severity and local privilege escalation potential, prioritize patching within 30 days for systems with untrusted local users, sooner for internet-facing or multi-tenant environments. Standard systems can follow normal maintenance windows.

Does this affect Wi-Fi connectivity before patching?

The vulnerability does not cause ongoing Wi-Fi failures; it creates a race condition during driver shutdown or power management events. Normal Wi-Fi operation continues until those specific edge conditions are triggered.

This analysis is based on published vulnerability data as of the source information date. CVSS scores and severity classifications are derived from official CVE records and may be subject to updates. Verify all patch version numbers, affected kernel releases, and distribution-specific advisories directly with the Linux kernel project and your operating system vendor before deploying changes. SEC.co does not guarantee the applicability or completeness of this guidance for your specific infrastructure; conduct internal testing and risk assessment in your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).