HIGH
wifi FastRX Race
CVE-2026-46152
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result.
02KernelScan AI Analysis
Risk summary
WiFi mesh networks are vulnerable to packet processing corruption when an attacker sends specially crafted packets that trigger concurrent processing. This can cause packets to be misrouted or dropped, potentially disrupting mesh network communication.
Vulnerability analysis
The ieee80211_invoke_fast_rx() function incorrectly declares its rx_result variable as static, causing all concurrent invocations to share the same memory location. When multiple WiFi packets are processed simultaneously, threads can overwrite each other's processing results between ieee80211_rx_mesh_data() and the result evaluation. The fix removes the static keyword to give each invocation its own stack variable. This affects WiFi mesh networks where fast-RX processing is enabled and requires proximity to send malicious mesh packets.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | 1739fc31b4de |
| 6.18 | 6.18.30 | e131562d6f2b |
| 6.6 | 6.6.140 | 03584528bfff |
| 7.0 | 7.0.7 | 3ef44f96ccc3 |
| mainline | 7.1-rc3 | 7a5b81e0c87a |