Unrated severityNVD Advisory· Published May 28, 2026
CVE-2026-46122
CVE-2026-46122
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: b43: enforce bounds check on firmware key index in b43_rx()
The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read.
Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check in the Linux kernel's b43 driver allows an out-of-bounds read via a crafted firmware key index.
Vulnerability
The b43 wireless driver in the Linux kernel contains an out-of-bounds read vulnerability in the b43_rx() function. The firmware-controlled key index can exceed the dev->key[] array size (58 entries). A B43_WARN_ON check was present but non-enforcing in production builds, allowing the out-of-bounds access. Affected versions include all kernel releases prior to the patch that enforces the check.
Exploitation
An attacker with the ability to transmit wireless frames to a vulnerable system can trigger this vulnerability. No authentication is required. The attacker sends a crafted frame that causes the firmware to supply an invalid key index, which the driver then uses to read memory outside the intended array.
Impact
Successful exploitation results in an out-of-bounds read, potentially leaking sensitive kernel memory. The read can access up to 58 entries beyond the dev->key array, leading to information disclosure.
Mitigation
The fix enforces the bounds check in b43_rx() by dropping the frame when an invalid key index is detected. Patched versions are available in the Linux kernel stable branches. Users should update to the latest kernel containing the commit that implements this fix.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
101f4f78bf8549wifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTristan MadaniApr 17, 2026Fixed in 7.1-rc3via kernel-cna
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
d7029879bafdwifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTristan MadaniApr 17, 2026Fixed in 6.18.30via kernel-cna
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
219ba67e69e4wifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTristan MadaniApr 17, 2026Fixed in 7.0.7via kernel-cna
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
1e9e55cf66f0wifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTristan MadaniApr 17, 2026Fixed in 6.12.88via kernel-cna
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
c3d7b90dc950wifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTristan MadaniApr 17, 2026Fixed in 6.6.140via kernel-cna
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
1f4f78bf8549wifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTristan MadaniApr 17, 2026via nvd-ref
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
219ba67e69e4wifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTristan MadaniApr 17, 2026via nvd-ref
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
c3d7b90dc950wifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTristan MadaniApr 17, 2026via nvd-ref
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
d7029879bafdwifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTristan MadaniApr 17, 2026via nvd-ref
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
1e9e55cf66f0wifi: b43: enforce bounds check on firmware key index in b43_rx()
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTristan MadaniApr 17, 2026via nvd-ref
2 files changed · +4 −4
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
drivers/net/wireless/broadcom/b43/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c index 7651b1bdb59266..f0b082596637ff 100644 --- a/drivers/net/wireless/broadcom/b43/xmit.c +++ b/drivers/net/wireless/broadcom/b43/xmit.c @@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr) * key index, but the ucode passed it slightly different. */ keyidx = b43_kidx_to_raw(dev, keyidx); - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); + if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) + goto drop; if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { wlhdr_len = ieee80211_hdrlen(fctl); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing enforcing bounds check on firmware-controlled key index allows out-of-bounds read in b43_rx()."
Attack vector
An attacker within radio range of a device using the b43 driver can transmit a crafted 802.11 frame whose metadata contains a key index value that, after conversion by `b43_kidx_to_raw()`, exceeds the 58-entry `dev->key[]` array. The existing `B43_WARN_ON` macro only produces a warning in debug builds and does not prevent the out-of-bounds read in production kernels. The attacker does not need any authentication or special privileges — the bug is triggered during normal frame reception in `b43_rx()`.
Affected code
The vulnerability is in the `b43_rx()` function in `drivers/net/wireless/broadcom/b43/xmit.c` [patch_id=2898513]. The firmware-supplied key index (`keyidx`) is used to index into the `dev->key[]` array (58 entries) without an enforcing bounds check.
What the fix does
The patch changes the non-enforcing `B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));` into an enforcing `if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) goto drop;` [patch_id=2898513]. When the firmware provides an out-of-bounds key index, the frame is now dropped instead of allowing the subsequent `dev->key[keyidx]` access to read past the array boundary. This closes the out-of-bounds read while preserving the warning for debugging purposes.
Preconditions
- networkAttacker must be within radio range of a device using the b43 wireless driver (Broadcom BCM43xx).
- authNo authentication or association required — the bug triggers on reception of any 802.11 frame.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14nvd
- git.kernel.org/stable/c/1f4f78bf8549e6ac4f04fba4176854f3a6e0c332nvd
- git.kernel.org/stable/c/219ba67e69e49681e48c822d6eaafb5def032f34nvd
- git.kernel.org/stable/c/c3d7b90dc95020cd9282c4630e402fe224f7644envd
- git.kernel.org/stable/c/d7029879bafdac2006c67553807d122283dc6cbfnvd
News mentions
0No linked articles in our index yet.