CVE-2026-46152
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: drop stray 'static' from fast-RX rx_result
ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res.
That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued.
Make res an automatic variable so each invocation keeps its own result.
Affected products
1Patches
101739fc31b4dewifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index e4a3ce716f6b54..59070283839277 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4882,7 +4882,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
e131562d6f2bwifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 5091a3c15b0b49..0a986607e65922 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4824,7 +4824,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
3ef44f96ccc3wifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 11d6c56c9d7eeb..7a8c964b0ae68a 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4928,7 +4928,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
7a5b81e0c87awifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 5a92413a911f2d..d18e962126ce4d 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4971,7 +4971,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
03584528bfffwifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 6bfd262dce260b..a716a055bff9a4 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4820,7 +4820,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
7a5b81e0c87awifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 5a92413a911f2d..d18e962126ce4d 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4971,7 +4971,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
1739fc31b4dewifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index e4a3ce716f6b54..59070283839277 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4882,7 +4882,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
3ef44f96ccc3wifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 11d6c56c9d7eeb..7a8c964b0ae68a 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4928,7 +4928,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
e131562d6f2bwifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 5091a3c15b0b49..0a986607e65922 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4824,7 +4824,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
03584528bfffwifi: mac80211: drop stray 'static' from fast-RX rx_result
1 file changed · +1 −2
net/mac80211/rx.c+1 −2 modifieddiff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 6bfd262dce260b..a716a055bff9a4 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4820,7 +4820,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, struct sk_buff *skb = rx->skb; struct ieee80211_hdr *hdr = (void *)skb->data; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); - static ieee80211_rx_result res; + ieee80211_rx_result res; int orig_len = skb->len; int hdrlen = ieee80211_hdrlen(hdr->frame_control); int snap_offs = hdrlen; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"A local variable in ieee80211_invoke_fast_rx() was incorrectly declared static, creating a data race between concurrent callers."
Attack vector
An attacker who can send Wi‑Fi frames that reach the mesh fast‑RX path can trigger a data race. Because `ieee80211_invoke_fast_rx()` is designed for parallel RX, multiple concurrent callers share the same `static` `res` variable. One caller's result from `ieee80211_rx_mesh_data()` can be overwritten by another caller before the first caller's `switch (res)` executes. This can cause a packet that was queued or consumed to fall through into `ieee80211_rx_8023()`, or a packet that should continue to be misclassified as queued [patch_id=2898249].
Affected code
The vulnerability is in the function `ieee80211_invoke_fast_rx()` in `net/mac80211/rx.c` [patch_id=2898249]. The local variable `res` of type `ieee80211_rx_result` was incorrectly declared with the `static` storage class.
What the fix does
The patch removes the `static` keyword from the declaration of `res` in `ieee80211_invoke_fast_rx()`, making it an automatic (stack) variable [patch_id=2898249]. Each invocation now gets its own instance of `res`, eliminating the data race where concurrent callers could overwrite each other's result between the call to `ieee80211_rx_mesh_data()` and the subsequent `switch` on `res`.
Preconditions
- configThe system must be using mac80211 with mesh fast-RX enabled (introduced by commit 3468e1e0c639).
- inputAn attacker must be able to send Wi-Fi frames that reach the mesh fast-RX path.
- networkAt least two concurrent RX contexts must be active to trigger the race condition.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/03584528bfffb195e384698af9148b94e42e3f14nvd
- git.kernel.org/stable/c/1739fc31b4de06c5c78ce0741182770fb079091envd
- git.kernel.org/stable/c/3ef44f96ccc3e06e059dec57842e366f0c4b1893nvd
- git.kernel.org/stable/c/7a5b81e0c87a075afd572f659d8eb68c9c4cd2banvd
- git.kernel.org/stable/c/e131562d6f2b958148c35c98831b007f47f0e3d3nvd
News mentions
0No linked articles in our index yet.