CVE-2026-46307: Linux ath5k WiFi Driver Array Out-of-Bounds Write
CVE-2026-46307 is a memory safety bug in the Linux kernel's ath5k WiFi driver. The driver incorrectly writes data beyond the bounds of an array when handling wireless transmission status updates. While the out-of-bounds write itself is narrow in scope—it only affects an adjacent memory field used for signal strength reporting—the vulnerability demonstrates a real flaw that could be triggered during normal WiFi operations. An attacker with network proximity could potentially exploit this to corrupt driver state or trigger unexpected behavior.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
- Weaknesses (CWE)
- CWE-125
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0 It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus. Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES). Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The ath5k driver contains an out-of-bounds array write in the ath5k_tasklet_tx function (base.c:1741). When processing transmission status, the code attempts to write a sentinel value (-1) to info->status.rates[ts->ts_final_idx + 1].idx without checking if ts->ts_final_idx + 1 exceeds the array bounds. The rates array is defined with IEEE80211_TX_MAX_RATES (4 elements), but ts->ts_final_idx can reach 3 on 5212 chipsets, causing the write to index [4]—one element past the end. This overwrites the adjacent ack_signal field in the info->status structure. The root cause is a missing bounds check before the sentinel assignment.
Business impact
Organizations deploying Linux systems with ath5k-based WiFi adapters face a potential stability and data integrity risk. While the overwrite is narrow, it could lead to unpredictable driver behavior, signal-strength reporting anomalies, or in edge cases, kernel instability. Systems relying on accurate WiFi performance metrics may see corrupted telemetry. The vulnerability is unlikely to enable direct remote code execution but represents a reliability gap that could affect wireless network operations in production environments.
Affected systems
Linux kernel systems equipped with Atheros 5000/5500 series WiFi chipsets using the ath5k driver are affected. This includes older laptops, access points, and embedded devices using these chipsets. The vulnerability is present across multiple Linux kernel versions until patched. Users running modern replacement drivers (like ath9k for newer chipsets) are unaffected.
Exploitability
The vulnerability requires adjacent network access (AV:A per CVSS vector) and no authentication. However, reliable exploitation is non-trivial: an attacker must trigger the specific code path during transmission status handling and induce a ts->ts_final_idx value of 3 on affected hardware. The bug is not listed in CISA's KEV catalog, indicating no known active exploitation in the wild. Opportunistic triggering during normal WiFi traffic is theoretically possible but would not yield high-impact results given the narrow scope of the memory corruption.
Remediation
Apply a Linux kernel update that includes the ath5k bounds-check fix. The patch adds a conditional check to only write the sentinel value when ts->ts_final_idx + 1 remains within array bounds. Verify the specific kernel version carrying this fix against your Linux distribution's advisory. For systems where immediate patching is not feasible, restricting ath5k driver usage or replacing hardware with ath9k-compatible alternatives mitigates the risk.
Patch guidance
Check your Linux distribution's security advisories for a kernel update addressing CVE-2026-46307. The fix is straightforward: the driver will only set the rates[idx].idx sentinel if idx is less than IEEE80211_TX_MAX_RATES. Distributions including Ubuntu, Red Hat, and Debian typically backport such kernel fixes to stable branches. Verify the kernel version shipped in your update includes the ath5k fix before deployment.
Detection guidance
Monitor system logs for UBSAN (Undefined Behavior SANitizer) messages referencing ath5k base.c:1741 or array-index-out-of-bounds warnings from the ath5k module. These messages confirm the vulnerability is being triggered. If UBSAN is not enabled at runtime, detection is difficult without custom kernel instrumentation. Network administrators should review WiFi driver logs for unusual transmission status anomalies or unexpected signal-strength reporting. Enable kernel warnings (CONFIG_UBSAN) in test environments to surface the condition before production deployment.
Why prioritize this
Although rated HIGH (CVSS 8.3), practical risk is moderate due to narrow exploit scope, lack of public exploitation, and limited impact (memory field corruption rather than arbitrary code execution). Prioritize based on hardware prevalence: systems with ath5k chipsets should be patched, but this is not an emergency-level issue. Organizations using modern WiFi hardware are likely unaffected. Coordinate patching with regular kernel maintenance cycles.
Risk score, explained
The CVSS 8.3 HIGH score reflects: (1) adjacent-network attack surface (wireless range), (2) low complexity, (3) no authentication required, (4) integrity and confidentiality impacts from state corruption. The score appropriately captures the severity of an unchecked memory write, though the practical impact is constrained by the narrow overwrite window and lack of active exploitation. The absence from CISA KEV suggests currently managed risk.
Frequently asked questions
Is this a remote code execution vulnerability?
No. CVE-2026-46307 is an out-of-bounds memory write that overwrites a single adjacent field (ack_signal). It does not allow arbitrary code execution but could corrupt driver state or telemetry. The impact is primarily reliability-related rather than confidentiality or availability at scale.
Do I need to patch immediately?
If your system uses an Atheros 5000/5500 WiFi adapter with the ath5k driver, prioritize patching within your next kernel update cycle. This is not a zero-day or active-exploitation scenario, so standard patch management timelines are appropriate. Modern systems using ath9k or newer drivers are unaffected.
What happens if the bug is triggered?
The driver writes a sentinel value (-1) one element past the intended array, corrupting the ack_signal field. This may cause incorrect WiFi signal strength reporting or subtle driver state inconsistencies. In practice, most systems would continue operating, but with potential data integrity issues in wireless performance metrics.
Is this vulnerability in CISA's Known Exploited Vulnerabilities catalog?
No. CVE-2026-46307 is not listed in CISA KEV, indicating no known active exploitation in the wild. This lowers operational urgency compared to vulnerabilities under active attack.
This analysis is based on the official CVE record and kernel patch description. Patch availability and timelines vary by Linux distribution; verify your vendor's advisory for specific version information and availability dates. CVSS scores reflect NIST assessments and should be interpreted alongside organizational risk context. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct internal risk assessments specific to their hardware inventory and network architecture. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-11077HIGHChrome Dawn Graphics Vulnerability – Sandbox Escape Risk
- CVE-2026-11091HIGHCritical Chrome Memory Corruption Vulnerability in Dawn Graphics Engine
- CVE-2026-11111HIGHChrome Out-of-Bounds Read in ANGLE Graphics Engine — Patch Guidance
- CVE-2026-11191HIGHOut-of-Bounds Memory Access in Chrome ANGLE Library