CVE-2026-46187: Linux RSI Driver Use-After-Free Vulnerability (CVSS 4.7)
The Linux kernel's RSI wireless driver has a race condition in how it shuts down worker threads. The driver uses two different methods to stop these threads: a self-terminating approach and an external stop command. When the self-terminating method completes first and then the external stop is called, the code tries to access a thread that has already been freed from memory—a use-after-free vulnerability. This affects local users with moderate privileges and can cause a system crash or unexpected behavior.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-362
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: fix kthread lifetime race between self-exit and external-stop RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur. However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again. Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46187 is a use-after-free (UAF) vulnerability in the Linux kernel's RSI (Redpine Signals) Wi-Fi driver thread lifecycle management. The vulnerability arises from a race condition between kthread_complete_and_exit() and kthread_stop(). The driver's kthread management has a design flaw: both self-exit and external-stop mechanisms coexist. When kthread_complete_and_exit() executes first and frees the kthread object, a subsequent call to kthread_stop() attempts to dereference freed memory. The fix involves removing the kthread_stop() call and replacing it with a synchronization mechanism that waits for the self-exit operation to complete. The vulnerability is classified as CWE-362 (concurrent execution using shared resource with improper synchronization).
Business impact
This vulnerability primarily affects availability rather than confidentiality or integrity. Systems running affected Linux kernel versions with the RSI wireless driver loaded are susceptible to kernel panics or system hangs triggered by a local attacker with limited user privileges. For organizations relying on wireless connectivity via RSI hardware, exploitation could disrupt service availability. The low CVSS score (4.7) reflects the local attack vector and high complexity required to trigger the race condition, but in high-density wireless environments or embedded systems where RSI drivers are deployed, availability impact could be operationally significant.
Affected systems
The Linux kernel's RSI wireless driver is affected. This driver is used in systems with Redpine Signals Wi-Fi hardware. The vulnerability requires local access and user-level privileges, limiting exposure to multi-user systems, shared hosting environments, or scenarios where local attackers can execute code. Embedded systems, IoT devices, or laptops with RSI-based Wi-Fi adapters running vulnerable kernel versions are in scope. The impact is narrower than many kernel vulnerabilities because RSI is a specific driver for particular hardware; however, some commodity wireless cards and certain development boards use RSI chipsets.
Exploitability
Exploitation requires local system access with non-root user privileges, reducing the threat surface significantly. An attacker must trigger the precise race condition window between the self-exit and external-stop calls—a timing-dependent issue that may require repeated attempts or careful crafting of kernel thread lifecycle events. The high complexity factor (AC:H in the CVSS vector) reflects this difficulty. This is not a trivial remote or unauthenticated attack. No known public exploits are tracked in the KEV catalog, and the specific timing requirements make reliable, weaponized exploitation challenging for the general attacker population.
Remediation
Apply a Linux kernel patch that removes the kthread_stop() call from the RSI driver's shutdown path and implements proper synchronization to await the kthread self-exit operation. Verification against your Linux distribution's security advisory or the kernel.org advisory is required to confirm which kernel versions ship the fix. Most major distributions have backported patches available for stable kernel branches. For systems where immediate patching is impractical, restrict local shell access and monitor for unexpected crashes or wireless driver errors as interim mitigations.
Patch guidance
Consult your Linux distribution's security advisory for the patched kernel version applicable to your release. Canonical (Ubuntu), Red Hat, Debian, and others typically release kernel updates addressing this issue within their respective maintenance windows. Verify the patch against the kernel.org advisory (linux-kernel mailing list) to confirm the exact commit hash and version numbers. Test kernel updates in a non-production environment first, as kernel updates require a reboot. For long-term support (LTS) kernels, patches are generally available; for cutting-edge releases, updates should arrive rapidly.
Detection guidance
Monitor kernel logs (dmesg, journalctl) for UAF-related warnings, use-after-free splats, or RSI driver crash indicators. Kernel Address Sanitizer (KASAN) configurations, if enabled in your kernel build, will flag UAF attempts with detailed stack traces. System administrators should look for patterns of Wi-Fi driver crashes or unexpected kernel panics on systems with RSI wireless hardware. Correlate crashes with local user activity or privilege escalation attempts. Intrusion detection systems focused on kernel behavior may detect anomalous thread lifecycle events, though this requires custom signatures tuned to your environment.
Why prioritize this
Although the CVSS score is moderate (4.7), prioritization should account for the attack vector (local only), the complexity of triggering the race condition, and the specific hardware dependency. If your organization does not use RSI wireless drivers, the risk is negligible. However, for systems that do rely on RSI hardware—particularly in edge computing, IoT, or specific embedded deployments—the availability impact justifies prompt remediation. The lack of KEV tracking and public exploits suggests this is a quality fix rather than an emergency response. Standard patch cadence is appropriate unless RSI wireless is critical to your infrastructure.
Risk score, explained
The CVSS 3.1 score of 4.7 (MEDIUM) reflects: (1) local-only attack vector (AV:L), requiring an attacker already on the system; (2) high attack complexity (AC:H), as the race condition is difficult and unreliable to trigger; (3) low privileges (PR:L), allowing non-root users to attempt exploitation; (4) no user interaction required (UI:N); (5) no impact to confidentiality or integrity (C:N/I:N), but high availability impact (A:H) from potential kernel crashes. The moderate score appropriately balances the serious availability risk against the practical barriers to exploitation.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. This is a use-after-free vulnerability that can cause a system crash (denial of service) but not code execution. It requires local system access with user-level privileges. Remote attackers cannot exploit this vulnerability.
Do I need to patch immediately if I don't use RSI wireless drivers?
Likely not. Check your system's hardware and kernel configuration. RSI drivers are specific to Redpine Signals Wi-Fi chipsets, not found in most commodity Intel or Qualcomm wireless adapters. If you're unsure, check lsmod for 'rsi' modules or consult your hardware documentation.
What is the practical impact of this vulnerability on my infrastructure?
If RSI wireless is deployed, the main risk is unexpected kernel crashes or system hangs triggered by local users, leading to service disruption. It does not compromise data confidentiality or enable privilege escalation. Standard patch management and access controls are sufficient mitigations.
Why is this vulnerability a MEDIUM score and not LOW or HIGH?
It balances competing factors: high availability impact (potential crash) and serious UAF nature push toward higher severity, but local-only attack vector, high complexity of exploitation, and lack of confidentiality/integrity risk keep it at MEDIUM. The specific hardware dependency (RSI only) further limits blast radius.
This analysis is provided for informational purposes and represents the current understanding of CVE-2026-46187 based on public information available as of the publication date. Patch version numbers, vendor advisories, and fix status should be verified directly with Linux distributions and kernel.org before deployment. SEC.co does not provide legal advice or liability indemnification. Organizations must conduct their own risk assessment and testing before applying patches or changes to production systems. The vulnerability details, CVSS score, and affected products are derived from authoritative sources but may be subject to revision by security vendors or the Linux project. Always refer to official distribution advisories and vendor guidance for definitive remediation paths. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46272MEDIUMLinux CoreSight TMC-ETR Race Condition DoS
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-46157HIGHLinux Kernel ALSA PCM OSS Data Race Vulnerability
- CVE-2026-47741MEDIUMShopper Discount Over-Redemption Race Condition (MEDIUM)
- CVE-2026-10565LOWRace Condition in Open5GS NGAP Handover Affects 5G Service Continuity
- CVE-2026-10940HIGHChrome Windows Sandbox Escape via Codec Race Condition
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout