HIGH
wifi b43 KeyIndex OOB
CVE-2026-46122
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: b43: enforce bounds check on firmware key index in b43_rx() The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read. Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.
02KernelScan AI Analysis
Risk summary
Systems with Broadcom BCM43xx WiFi hardware are vulnerable to an out-of-bounds read when processing WiFi frames with malformed firmware-controlled key indices. An attacker within WiFi radio range can transmit crafted frames to trigger an invalid array access, leading to disclosure of adjacent kernel memory or kernel panic.
Vulnerability analysis
The vulnerability occurs in the b43_rx() function where a firmware-provided key index is used to access the dev->key[] array without proper bounds enforcement. The original B43_WARN_ON check only triggers in debug builds and does not prevent the out-of-bounds access in production. A malicious actor within wireless proximity can transmit frames causing the firmware to supply an out-of-bounds key index (>= 58). The resulting read accesses memory beyond the array boundary, potentially disclosing adjacent slab data (confidentiality impact) or referencing unmapped pages and causing a kernel panic (availability impact). The fix converts the warning into an enforcing check that drops frames with invalid key indices.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 135cb49c9a42 |
| 5.15 | 5.15.209 | 3157ad40b084 |
| 6.1 | 6.1.175 | 765709720e6a |
| 6.12 | 6.12.88 | 1e9e55cf66f0 |
| 6.18 | 6.18.30 | d7029879bafd |
| 6.6 | 6.6.140 | c3d7b90dc950 |
| 7.0 | 7.0.7 | 219ba67e69e4 |
| mainline | 7.1-rc3 | 1f4f78bf8549 |