HIGH
wifi b43legacy KeyIndex OOB
CVE-2026-46163
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: b43legacy: enforce bounds check on firmware key index in RX path Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[]. Make the check enforcing by dropping the frame for invalid indices.
02KernelScan AI Analysis
Risk summary
Systems using legacy Broadcom BCM43xx WiFi hardware are vulnerable to information disclosure and denial of service via out-of-bounds memory reads. An attacker within WiFi range can send crafted 802.11 frames that cause the firmware to pass an invalid key index to the b43legacy_rx() path, leading to an out-of-bounds read of the dev->key[] array. A large invalid index can reference unmapped kernel memory and trigger a kernel panic in the RX softirq path, while a carefully chosen small index can leak sensitive kernel memory contents.
Vulnerability analysis
The vulnerability occurs in b43legacy_rx() where a firmware-provided key index is used to access dev->key[] without an enforcing bounds check. The existing B43legacy_WARN_ON is compiled out or non-fatal in production builds, allowing an attacker-controlled key index that exceeds dev->max_nr_keys to proceed. This results in an out-of-bounds read that can expose kernel slab memory or, depending on the index value, touch unmapped pages. The fix converts the non-enforcing warning into an explicit bounds check that drops the frame when the index is invalid.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | a92bd0503df2 |
| 5.15 | 5.15.209 | df805c1d085b |
| 6.1 | 6.1.175 | 4242db36de99 |
| 6.12 | 6.12.88 | 6ee946077607 |
| 6.18 | 6.18.30 | 9d1bc1558029 |
| 6.6 | 6.6.140 | 1baaeb6adecb |
| 7.0 | 7.0.7 | fdd4e51979f4 |
| mainline | 7.1-rc3 | a035766f970b |