wifi: ath5k: do not access array OOB_CVE-2026-46307

8.3 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath5k: do not access array OOB

Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0

It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.

Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).

Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.

Basic Information

ID CVE-2026-46307

Source Linux

Published Jun 8, 2026 at 15:46

Modified Jun 14, 2026 at 04:30

Affected Product

Vendor Linux

Product Linux

Version 6d7b97b23e114c8fbb825e6721164d228c1af3fc

Affected Versions Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc
Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc
Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc
Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc
Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc
Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc
Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc
Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc
Linux Linux 3.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath5k: do not access array OOB\n\nVincent reports:\n> The ath5k driver seems to do an array-index-out-of-bounds access as\n> shown by the UBSAN kernel message:\n> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\n> index 4 is out of range for type 'ieee80211_tx_rate [4]'\n> ...\n> Call Trace:\n>  <TASK>\n>  dump_stack_lvl+0x5d/0x80\n>  ubsan_epilogue+0x5/0x2b\n>  __ubsan_handle_out_of_bounds.cold+0x46/0x4b\n>  ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\n>  tasklet_action_common+0xb5/0x1c0\n\nIt is real. 'ts->ts_final_idx' can be 3 on 5212, so:\n   info->status.rates[ts->ts_final_idx + 1].idx = -1;\nwith the array defined as:\n   struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\nwhile the size is:\n   #define IEEE80211_TX_MAX_RATES  4\nis indeed bogus.\n\nSet this 'idx = -1' sentinel only if the array index is less than the\narray size. As mac80211 will not look at rates beyond the size\n(IEEE80211_TX_MAX_RATES).\n\nNote: The effect of the OOB write is negligible. It just overwrites the\nnext member of info->status, i.e. ack_signal.",
    "published": "2026-06-08T15:46:35.059Z",
    "modified": "2026-06-14T04:30:07.952Z",
    "type": "cve",
    "title": "wifi: ath5k: do not access array OOB",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e\nhttps://git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769\nhttps://git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf\nhttps://git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020\nhttps://git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934\nhttps://git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb\nhttps://git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57\nhttps://git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd",
    "id": "CVE-2026-46307",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc\nLinux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc\nLinux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc\nLinux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc\nLinux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc\nLinux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc\nLinux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc\nLinux Linux 6d7b97b23e114c8fbb825e6721164d228c1af3fc\nLinux Linux 3.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply