CVE Catalog

CVE-2026-46307

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile - higher than 13% of all known CVEs

Summary

In the ath5k Wi-Fi driver in the Linux kernel, an out-of-bounds (OOB) array access vulnerability was found. The issue occurs in ath5k_tasklet_tx where ts->ts_final_idx can be 3, leading to an access to rates[ts->ts_final_idx + 1] beyond the array size of 4. This overwrites the adjacent ack_signal field, though the impact is negligible.

Risk Assessment

The vulnerability may cause system instability or unexpected driver behavior, but the risk is low due to the limited scope of overwritten data (only an adjacent structure field).

Recommendation

It is recommended to update the Linux kernel to a version containing the fix, which adds a bounds check before writing to the array.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0 It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus. Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES). Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS