CVE-2026-46307 (GCVE-0-2026-46307)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-08 15:46
VLAI
Title
wifi: ath5k: do not access array OOB
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath5k: do not access array OOB
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6d7b97b23e114c8fbb825e6721164d228c1af3fc , < ecb1c163166759dec004c1fdb9709b8a5992fc8e
(git)
Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 9dd6aae4bc7bfa11088d928670a3315eae542769 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 744c19e266b0d2628c5951439195dcef27eadacf (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 83226c71af53fb9b3cad40cb9a9a79f36d68c020 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < d6869537013b1f21b292342752d97868b79b5934 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < e9f1081bc775146156def0dbc821b92f35d56afb (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 568173ad9bd0b46cc6cd937dea8791e9b5eefa57 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < d748603f12baff112caa3ab7d39f50100f010dbd (git) |
|
| Linux | Linux |
Affected:
3.0
Unaffected: 0 , < 3.0 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecb1c163166759dec004c1fdb9709b8a5992fc8e",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "9dd6aae4bc7bfa11088d928670a3315eae542769",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "744c19e266b0d2628c5951439195dcef27eadacf",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "83226c71af53fb9b3cad40cb9a9a79f36d68c020",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d6869537013b1f21b292342752d97868b79b5934",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "e9f1081bc775146156def0dbc821b92f35d56afb",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "568173ad9bd0b46cc6cd937dea8791e9b5eefa57",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d748603f12baff112caa3ab7d39f50100f010dbd",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath5k: do not access array OOB\n\nVincent reports:\n\u003e The ath5k driver seems to do an array-index-out-of-bounds access as\n\u003e shown by the UBSAN kernel message:\n\u003e UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\n\u003e index 4 is out of range for type \u0027ieee80211_tx_rate [4]\u0027\n\u003e ...\n\u003e Call Trace:\n\u003e \u003cTASK\u003e\n\u003e dump_stack_lvl+0x5d/0x80\n\u003e ubsan_epilogue+0x5/0x2b\n\u003e __ubsan_handle_out_of_bounds.cold+0x46/0x4b\n\u003e ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\n\u003e tasklet_action_common+0xb5/0x1c0\n\nIt is real. \u0027ts-\u003ets_final_idx\u0027 can be 3 on 5212, so:\n info-\u003estatus.rates[ts-\u003ets_final_idx + 1].idx = -1;\nwith the array defined as:\n struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\nwhile the size is:\n #define IEEE80211_TX_MAX_RATES 4\nis indeed bogus.\n\nSet this \u0027idx = -1\u0027 sentinel only if the array index is less than the\narray size. As mac80211 will not look at rates beyond the size\n(IEEE80211_TX_MAX_RATES).\n\nNote: The effect of the OOB write is negligible. It just overwrites the\nnext member of info-\u003estatus, i.e. ack_signal."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:46:35.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e"
},
{
"url": "https://git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769"
},
{
"url": "https://git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf"
},
{
"url": "https://git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020"
},
{
"url": "https://git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934"
},
{
"url": "https://git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb"
},
{
"url": "https://git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57"
},
{
"url": "https://git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd"
}
],
"title": "wifi: ath5k: do not access array OOB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46307",
"datePublished": "2026-06-08T15:46:35.059Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:46:35.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-46307",
"date": "2026-06-09",
"epss": "0.00024",
"percentile": "0.07237"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-46307\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-08T17:16:49.547\",\"lastModified\":\"2026-06-08T17:16:49.547\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: ath5k: do not access array OOB\\n\\nVincent reports:\\n\u003e The ath5k driver seems to do an array-index-out-of-bounds access as\\n\u003e shown by the UBSAN kernel message:\\n\u003e UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\\n\u003e index 4 is out of range for type \u0027ieee80211_tx_rate [4]\u0027\\n\u003e ...\\n\u003e Call Trace:\\n\u003e \u003cTASK\u003e\\n\u003e dump_stack_lvl+0x5d/0x80\\n\u003e ubsan_epilogue+0x5/0x2b\\n\u003e __ubsan_handle_out_of_bounds.cold+0x46/0x4b\\n\u003e ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\\n\u003e tasklet_action_common+0xb5/0x1c0\\n\\nIt is real. \u0027ts-\u003ets_final_idx\u0027 can be 3 on 5212, so:\\n info-\u003estatus.rates[ts-\u003ets_final_idx + 1].idx = -1;\\nwith the array defined as:\\n struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\\nwhile the size is:\\n #define IEEE80211_TX_MAX_RATES 4\\nis indeed bogus.\\n\\nSet this \u0027idx = -1\u0027 sentinel only if the array index is less than the\\narray size. As mac80211 will not look at rates beyond the size\\n(IEEE80211_TX_MAX_RATES).\\n\\nNote: The effect of the OOB write is negligible. It just overwrites the\\nnext member of info-\u003estatus, i.e. ack_signal.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…