CVE-2026-46307

Source
https://cve.org/CVERecord?id=CVE-2026-46307
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46307.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46307
Downstream
Related
Published
2026-06-08T15:46:35.059Z
Modified
2026-07-10T03:54:20.456968707Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
wifi: ath5k: do not access array OOB
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath5k: do not access array OOB

Vincent reports:

The ath5k driver seems to do an array-index-out-of-bounds access as shown by the UBSAN kernel message: UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 index 4 is out of range for type 'ieee80211txrate [4]' ... Call Trace: <TASK> dumpstacklvl+0x5d/0x80 ubsan_epilogue+0x5/0x2b __ubsanhandleoutofbounds.cold+0x46/0x4b ath5ktasklettx+0x4e0/0x560 [ath5k] taskletactioncommon+0xb5/0x1c0

It is real. 'ts->tsfinalidx' can be 3 on 5212, so: info->status.rates[ts->tsfinalidx + 1].idx = -1; with the array defined as: struct ieee80211txrate rates[IEEE80211TXMAXRATES]; while the size is: #define IEEE80211TXMAXRATES 4 is indeed bogus.

Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211TXMAX_RATES).

Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46307.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6d7b97b23e114c8fbb825e6721164d228c1af3fc
Fixed
ecb1c163166759dec004c1fdb9709b8a5992fc8e
Fixed
9dd6aae4bc7bfa11088d928670a3315eae542769
Fixed
744c19e266b0d2628c5951439195dcef27eadacf
Fixed
83226c71af53fb9b3cad40cb9a9a79f36d68c020
Fixed
d6869537013b1f21b292342752d97868b79b5934
Fixed
e9f1081bc775146156def0dbc821b92f35d56afb
Fixed
568173ad9bd0b46cc6cd937dea8791e9b5eefa57
Fixed
d748603f12baff112caa3ab7d39f50100f010dbd

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46307.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.88
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.30
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46307.json"