wifi: wl1251: validate packet IDs before indexing tx_frames_CVE-2026-43113

8.8 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: wl1251: validate packet IDs before indexing tx_frames

wl1251_tx_packet_cb() uses the firmware completion ID directly to index
the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
completion block, and the callback does not currently verify that it
fits the array before dereferencing it.

Reject completion IDs that fall outside wl->tx_frames[] and keep the
existing NULL check in the same guard. This keeps the fix local to the
trust boundary and avoids touching the rest of the completion flow.

AI Analysis

Linux kernel vulnerability in wifi: wl1251, where packet IDs are not validated before indexing tx_frames, potentially leading to arbitrary code execution.

Basic Information

ID CVE-2026-43113

Source Linux

Published May 6, 2026 at 07:40

Modified May 8, 2026 at 12:40

Affected Product

Vendor Linux

Product Linux

Version 2f01a1f58889fbfeb68b1bc1b52e4197f3333490

Affected Versions Linux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490
Linux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490
Linux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490
Linux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490
Linux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490
Linux Linux 2.6.31

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Linux

Product Linux kernel

Version 2f01a1f58889fbfeb68b1bc1b52e4197f3333490, 2.6.31

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wl1251: validate packet IDs before indexing tx_frames\n\nwl1251_tx_packet_cb() uses the firmware completion ID directly to index\nthe fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the\ncompletion block, and the callback does not currently verify that it\nfits the array before dereferencing it.\n\nReject completion IDs that fall outside wl->tx_frames[] and keep the\nexisting NULL check in the same guard. This keeps the fix local to the\ntrust boundary and avoids touching the rest of the completion flow.",
    "published": "2026-05-06T07:40:39.234Z",
    "modified": "2026-05-08T12:40:38.409Z",
    "type": "cve",
    "title": "wifi: wl1251: validate packet IDs before indexing tx_frames",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/b6ba1eacf276063ebeefbbae8056043c24f2efaf\nhttps://git.kernel.org/stable/c/df15adc692a802636dd3f258fc7cca8bf7a0ed9a\nhttps://git.kernel.org/stable/c/8d7465be5163a923ee5d7459719ef5a021c1584a\nhttps://git.kernel.org/stable/c/26ee518695c484f75e3606d631278e84bd24ae02\nhttps://git.kernel.org/stable/c/0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0",
    "id": "CVE-2026-43113",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490\nLinux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490\nLinux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490\nLinux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490\nLinux Linux 2f01a1f58889fbfeb68b1bc1b52e4197f3333490\nLinux Linux 2.6.31",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "2f01a1f58889fbfeb68b1bc1b52e4197f3333490",
    "vendor": "Linux",
    "ai_description": "Linux kernel vulnerability in wifi: wl1251, where packet IDs are not validated before indexing tx_frames, potentially leading to arbitrary code execution.",
    "ai_severity": "High",
    "ai_vendor": "Linux",
    "ai_product": "Linux kernel",
    "ai_version": "2f01a1f58889fbfeb68b1bc1b52e4197f3333490, 2.6.31",
    "ai_score": 8.8
}