CVE-2026-46163
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: b43legacy: enforce bounds check on firmware key index in RX path
Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[].
Make the check enforcing by dropping the frame for invalid indices.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read vulnerability in the Linux kernel's b43legacy Wi-Fi driver allows a firmware-controlled key index to exceed the allocated key array size.
Vulnerability
In the Linux kernel's b43legacy Wi-Fi driver, the b43legacy_rx() function in the receive (RX) path uses a key index provided by the firmware without enforcing a bounds check. The existing B43legacy_WARN_ON macro only triggers a warning in debug builds and is non-enforcing in production kernels. As a result, if the firmware supplies an index greater than dev->max_nr_keys, an out-of-bounds read of the dev->key[] array occurs. This fix is analogous to a previously applied fix for the b43 driver and affects the same code pattern. The vulnerable versions include all Linux kernel releases containing the b43legacy driver prior to the patch commit [1].
Exploitation
An attacker with the ability to control or influence the firmware behavior (e.g., through a malicious Wi-Fi access point or a compromised firmware image) can supply an invalid key index in a received frame. No local authentication or elevated privileges on the target system are required; the attack vector is over the air via crafted 802.11 frames. The attacker must be within radio range of the target device. The sequence involves sending a frame with a key index field set to a value beyond max_nr_keys, triggering the out-of-bounds read when the driver processes the frame.
Impact
Successful exploitation leads to an out-of-bounds read of kernel memory adjacent to the dev->key[] array. The read content may be disclosed to the attacker (e.g., via reflected data in a response) or may cause a kernel crash (denial of service). The precise impact depends on memory layout, but information disclosure (confidentiality breach) or system instability (availability impact) are possible. No privilege escalation is directly achieved, but leaked kernel memory could aid further attacks.
Mitigation
The fix is included in the Linux kernel stable commit [1] (commit hash 9d1bc155802943e92c57a5fb923d23edfbf0b525). Users should update their kernel to a version containing this commit (e.g., via distro kernel updates). The fix changes the non-enforcing B43legacy_WARN_ON to a return on invalid index, dropping the offending frame. No workaround is available for unpatched systems other than disabling the b43legacy driver if not needed. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
106ee946077607wifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
9d1bc1558029wifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
1baaeb6adecbwifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
fdd4e51979f4wifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
a035766f970bwifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
9d1bc1558029wifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
fdd4e51979f4wifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
a035766f970bwifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
1baaeb6adecbwifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
6ee946077607wifi: b43legacy: enforce bounds check on firmware key index in RX path
1 file changed · +2 −2
drivers/net/wireless/broadcom/b43legacy/xmit.c+2 −2 modifieddiff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c index efd63f4ce74f2b..ee199d4eaf039a 100644 --- a/drivers/net/wireless/broadcom/b43legacy/xmit.c +++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c @@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev, * key index, but the ucode passed it slightly different. */ keyidx = b43legacy_kidx_to_raw(dev, keyidx); - B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); + if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) + goto drop; if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { /* Remove PROTECTED flag to mark it as decrypted. */ -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing enforced bounds check on a firmware-controlled key index allows out-of-bounds read of the dev->key[] array in the RX path."
Attack vector
An attacker can send a crafted 802.11 wireless frame to a device using the b43legacy driver. The device firmware supplies a key index (`keyidx`) in the received frame, which is then transformed via `b43legacy_kidx_to_raw()`. If the resulting index equals or exceeds `dev->max_nr_keys`, the subsequent access `dev->key[keyidx]` reads out-of-bounds. The existing `B43legacy_WARN_ON` only triggers a warning in debug builds and does not prevent the OOB read in production kernels [patch_id=2898151].
Affected code
The vulnerability resides in the `b43legacy_rx()` function in `drivers/net/wireless/broadcom/b43legacy/xmit.c` [patch_id=2898151]. The firmware-controlled key index (`keyidx`) is used to index into `dev->key[]` without a bounds check that is enforced in production builds.
What the fix does
The patch changes the non-enforcing `B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)` into an enforcing conditional: `if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) goto drop;` [patch_id=2898151]. When the key index is out of bounds, the function now jumps to the `drop` label, discarding the frame and preventing the out-of-bounds read of `dev->key[]`. This closes the vulnerability by ensuring invalid firmware-supplied indices never reach the array access.
Preconditions
- networkThe attacker must be within radio range of a device using the b43legacy driver and be able to transmit a crafted 802.11 frame.
- authNo authentication or special privileges are required; the vulnerability is triggered in the RX path upon frame reception.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/1baaeb6adecb9691748c0253dab6ddd19a2b4e9envd
- git.kernel.org/stable/c/6ee946077607d7783ae6709a899213fc4fe08f35nvd
- git.kernel.org/stable/c/9d1bc155802943e92c57a5fb923d23edfbf0b525nvd
- git.kernel.org/stable/c/a035766f970bde2d4298346a31a80685be5c0205nvd
- git.kernel.org/stable/c/fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5nvd
News mentions
0No linked articles in our index yet.