HIGH
wifi wl1251 TxFrame OOB
CVE-2026-43113
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow.
02KernelScan AI Analysis
Risk summary
Systems with wl1251 WiFi chipsets are vulnerable to kernel memory corruption when processing malicious firmware completion packets. Attackers with WiFi access could potentially trigger out-of-bounds array access leading to information disclosure or system compromise.
Vulnerability analysis
The wl1251_tx_packet_cb() function uses firmware-provided completion IDs as direct array indices into the 16-entry tx_frames array without bounds validation. Since the ID is a raw u8 from firmware, values 16-255 cause out-of-bounds access to kernel memory. The fix adds proper bounds checking before array access. This affects systems with physical wl1251 WiFi hardware when WiFi is active and processing completion packets.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 6509dbece733 |
| 5.15 | 5.15.209 | a8a11a876f0a |
| 6.1 | 6.1.175 | e0dc1ad870d6 |
| 6.12 | 6.12.83 | df15adc692a8 |
| 6.18 | 6.18.24 | 8d7465be5163 |
| 6.19 | 6.19.14 | 26ee518695c4 |
| 6.6 | 6.6.136 | b6ba1eacf276 |
| mainline | 7.0 | 0fd56fad9c56 |