wifi: ath5k: do not access array OOB

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46307
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-08 17:16:49 UTC
Updated2026-06-08 17:16:49 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0 It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus. Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES). Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc ecb1c163166759dec004c1fdb9709b8a5992fc8e git Not specified
CNA Linux Linux affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc 9dd6aae4bc7bfa11088d928670a3315eae542769 git Not specified
CNA Linux Linux affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc 744c19e266b0d2628c5951439195dcef27eadacf git Not specified
CNA Linux Linux affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc 83226c71af53fb9b3cad40cb9a9a79f36d68c020 git Not specified
CNA Linux Linux affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc d6869537013b1f21b292342752d97868b79b5934 git Not specified
CNA Linux Linux affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc e9f1081bc775146156def0dbc821b92f35d56afb git Not specified
CNA Linux Linux affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc 568173ad9bd0b46cc6cd937dea8791e9b5eefa57 git Not specified
CNA Linux Linux affected 6d7b97b23e114c8fbb825e6721164d228c1af3fc d748603f12baff112caa3ab7d39f50100f010dbd git Not specified
CNA Linux Linux affected 3.0 Not specified
CNA Linux Linux unaffected 3.0 semver Not specified
CNA Linux Linux unaffected 5.10.258 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.209 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.140 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.88 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.30 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.7 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc3 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report