HIGH
wifi brcmfmac BssCfg OOB
CVE-2026-43110
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI8.7HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix]
02KernelScan AI Analysis
Risk summary
Malicious or compromised WiFi firmware can trigger an out-of-bounds memory access in the brcmfmac driver by supplying an invalid bsscfg index. This can lead to kernel memory corruption, information disclosure, or system crashes on devices with Broadcom WiFi hardware reachable within wireless range.
Vulnerability analysis
The brcmf_fweh_handle_if_event() function validates the firmware-provided interface index (ifidx) before array access, but fails to validate the bsscfgidx field used to index drvr->iflist[]. A firmware event with an out-of-bounds bsscfgidx causes the driver to read a wild pointer from arbitrary kernel memory, which is then dereferenced. Because the firmware can be influenced or compromised over the WiFi link, an attacker within radio range can reach the vulnerable driver code without local privileges or user interaction.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | b329fbcf0759 |
| 5.15 | 5.15.209 | 2ae3ccb78c0a |
| 6.1 | 6.1.175 | 9c81bcc2c695 |
| 6.12 | 6.12.83 | 9fca68c2512a |
| 6.18 | 6.18.24 | 1ae1e1caa428 |
| 6.19 | 6.19.14 | b427c2b05222 |
| 6.6 | 6.6.136 | 3ec7437e9d11 |
| mainline | 7.0 | 304950a467d8 |