CVE-2026-46307

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath5k: do not access array OOB

Vincent reports:

The ath5k driver seems to do an array-index-out-of-bounds access as shown by the UBSAN kernel message: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 index 4 is out of range for type 'ieee80211 tx rate [4]' ... Call Trace: dump stack lvl+0x5d/0x80 ubsan epilogue+0x5/0x2b ubsan handle out of bounds.cold+0x46/0x4b ath5k tasklet tx+0x4e0/0x560 [ath5k] tasklet action common+0xb5/0x1c0

It is real. 'ts->ts final idx' can be 3 on 5212, so: info->status.rates[ts->ts final idx + 1].idx = -1; with the array defined as: struct ieee80211 tx rate rates[IEEE80211 TX MAX RATES]; while the size is: #define IEEE80211 TX MAX RATES 4 is indeed bogus.

Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211 TX MAX RATES).

Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack signal.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-46307

Affected Products

Linux

CVE-2026-46307

Related Identifiers

Affected Products

References · 9