wifi: ath5k: do not access array OOB
Summary
| CVE | CVE-2026-46307 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-08 17:16:49 UTC |
| Updated | 2026-07-07 18:35:34 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0 It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus. Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES). Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal. |
Risk And Classification
Primary CVSS: v3.1 8.3 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS: 0.002200000 probability, percentile 0.123470000 (date 2026-06-21)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 8.3 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
| 3.1 | CNA | DECLARED | 8.3 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
CVSS v3.1 Breakdown
Attack Vector
AdjacentAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
LowCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc ecb1c163166759dec004c1fdb9709b8a5992fc8e git | Not specified |
| CNA | Linux | Linux | affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc 9dd6aae4bc7bfa11088d928670a3315eae542769 git | Not specified |
| CNA | Linux | Linux | affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc 744c19e266b0d2628c5951439195dcef27eadacf git | Not specified |
| CNA | Linux | Linux | affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc 83226c71af53fb9b3cad40cb9a9a79f36d68c020 git | Not specified |
| CNA | Linux | Linux | affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc d6869537013b1f21b292342752d97868b79b5934 git | Not specified |
| CNA | Linux | Linux | affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc e9f1081bc775146156def0dbc821b92f35d56afb git | Not specified |
| CNA | Linux | Linux | affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc 568173ad9bd0b46cc6cd937dea8791e9b5eefa57 git | Not specified |
| CNA | Linux | Linux | affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc d748603f12baff112caa3ab7d39f50100f010dbd git | Not specified |
| CNA | Linux | Linux | affected 3.0 | Not specified |
| CNA | Linux | Linux | unaffected 3.0 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.140 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.88 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.30 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.7 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.