CVE-2026-46307 (GCVE-0-2026-46307)
Vulnerability from cvelistv5
Published
2026-06-08 15:46
Modified
2026-06-08 15:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath5k: do not access array OOB
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 6d7b97b23e114c8fbb825e6721164d228c1af3fc Version: 6d7b97b23e114c8fbb825e6721164d228c1af3fc Version: 6d7b97b23e114c8fbb825e6721164d228c1af3fc Version: 6d7b97b23e114c8fbb825e6721164d228c1af3fc Version: 6d7b97b23e114c8fbb825e6721164d228c1af3fc Version: 6d7b97b23e114c8fbb825e6721164d228c1af3fc Version: 6d7b97b23e114c8fbb825e6721164d228c1af3fc Version: 6d7b97b23e114c8fbb825e6721164d228c1af3fc |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecb1c163166759dec004c1fdb9709b8a5992fc8e",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "9dd6aae4bc7bfa11088d928670a3315eae542769",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "744c19e266b0d2628c5951439195dcef27eadacf",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "83226c71af53fb9b3cad40cb9a9a79f36d68c020",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d6869537013b1f21b292342752d97868b79b5934",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "e9f1081bc775146156def0dbc821b92f35d56afb",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "568173ad9bd0b46cc6cd937dea8791e9b5eefa57",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d748603f12baff112caa3ab7d39f50100f010dbd",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath5k: do not access array OOB\n\nVincent reports:\n\u003e The ath5k driver seems to do an array-index-out-of-bounds access as\n\u003e shown by the UBSAN kernel message:\n\u003e UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\n\u003e index 4 is out of range for type \u0027ieee80211_tx_rate [4]\u0027\n\u003e ...\n\u003e Call Trace:\n\u003e \u003cTASK\u003e\n\u003e dump_stack_lvl+0x5d/0x80\n\u003e ubsan_epilogue+0x5/0x2b\n\u003e __ubsan_handle_out_of_bounds.cold+0x46/0x4b\n\u003e ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\n\u003e tasklet_action_common+0xb5/0x1c0\n\nIt is real. \u0027ts-\u003ets_final_idx\u0027 can be 3 on 5212, so:\n info-\u003estatus.rates[ts-\u003ets_final_idx + 1].idx = -1;\nwith the array defined as:\n struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\nwhile the size is:\n #define IEEE80211_TX_MAX_RATES 4\nis indeed bogus.\n\nSet this \u0027idx = -1\u0027 sentinel only if the array index is less than the\narray size. As mac80211 will not look at rates beyond the size\n(IEEE80211_TX_MAX_RATES).\n\nNote: The effect of the OOB write is negligible. It just overwrites the\nnext member of info-\u003estatus, i.e. ack_signal."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:46:35.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e"
},
{
"url": "https://git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769"
},
{
"url": "https://git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf"
},
{
"url": "https://git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020"
},
{
"url": "https://git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934"
},
{
"url": "https://git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb"
},
{
"url": "https://git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57"
},
{
"url": "https://git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd"
}
],
"title": "wifi: ath5k: do not access array OOB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46307",
"datePublished": "2026-06-08T15:46:35.059Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:46:35.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…