HIGH Published 2026-05-06

wifi iwlwifi LMAC OOB

CVE-2026-43172

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI4.3MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix 22000 series SMEM parsing If the firmware were to report three LMACs (which doesn't exist in hardware) then using "fwrt->smem_cfg.lmac[2]" is an overrun of the array. Reject such and use IWL_FW_CHECK instead of WARN_ON in this function.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Intel WiFi devices with 22000 series chipsets are vulnerable to limited kernel memory corruption when processing malicious firmware. An attacker with root privileges capable of replacing the iwlwifi firmware file, or with physical access to install malicious hardware, can trigger an out-of-bounds write during shared-memory configuration parsing. This can corrupt adjacent kernel heap memory and lead to system instability or a kernel panic. The fix adds proper bounds checking on the LMAC count reported by firmware and replaces WARN_ON with IWL_FW_CHECK.

Affecteddrivers/net/wireless/intel/iwlwifi/fw/smem.c (iwlwifi driver)

Vulnerability analysis

The iwlwifi driver's shared memory configuration parser for 22000 series devices fails to properly validate the number of LMACs reported by firmware before indexing into the fwrt->smem_cfg.lmac array. The array is sized for two entries, but the driver accepts a firmware-reported count of three (or more), causing an out-of-bounds write of a full LMAC structure past the array bounds. The original code checked the wrong size (mem_cfg->lmac_smem), allowing the bug to persist. The corrected code validates lmac_num against ARRAY_SIZE(fwrt->smem_cfg.lmac) and returns early on violation. Because the write is bounded to the size of one LMAC structure, the integrity impact is limited rather than arbitrary. Reachability requires either root privileges to replace the firmware image on the local filesystem or physical access to the PCIe WiFi hardware.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.16	`1d49a42717bd`
6.19	6.19.6	`2b4b1510aaaf`
mainline	7.0	`58192b9ce09b`