In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9khtctxstatus()
Fix an array-index-out-of-bounds read in ath9khtctxstatus(). The bug occurs when txs->cnt, data from a URB provided by a USB device, is bigger than the size of the array txs->txstatus, which is HTCMAXTXSTATUS. WARNON() already checks it, but there is no bug handling code after the check. Make the function return if that is the case.
Found by a modified version of syzkaller.
UBSAN: array-index-out-of-bounds in htcdrvtxrx.c index 13 is out of range for type '_wmieventtxstatus [12]' Call Trace: ath9khtctxstatus ath9kwmieventtasklet taskletactioncommon _dosoftirq irqexitrxu sysvecapictimer_interrupt