CVE-2026-46307
Description
Linux kernel's ath5k driver has an array out-of-bounds write vulnerability, potentially affecting Wi-Fi functionality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel's ath5k driver has an array out-of-bounds write vulnerability, potentially affecting Wi-Fi functionality.
Vulnerability
The Linux kernel's ath5k driver contains an array-index-out-of-bounds write vulnerability in drivers/net/wireless/ath/ath5k/base.c. The issue occurs when ts->ts_final_idx is 3 on certain chipsets, leading to an attempt to write to info->status.rates[ts->ts_final_idx + 1], which is outside the bounds of the rates array defined as ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES] where IEEE80211_TX_MAX_RATES is 4. This affects versions of the Linux kernel where this code path is present prior to the fix [1].
Exploitation
An attacker would need to trigger a specific condition within the Wi-Fi driver's transmission process that leads to the ts->ts_final_idx variable being set to 3. This condition is related to the transmission status of Wi-Fi packets. The vulnerability is triggered by the normal operation of the driver under specific circumstances, not requiring direct user interaction or elevated privileges beyond what is needed to operate the Wi-Fi interface [1].
Impact
The vulnerability results in an out-of-bounds write operation. While the write itself is negligible, overwriting only the ack_signal member of info->status, it indicates a flaw in array boundary checking within the driver. The precise impact on Wi-Fi functionality or system stability due to this specific OOB write is not fully detailed but stems from a potential for memory corruption [1].
Mitigation
The vulnerability has been resolved by implementing a check to ensure the array index is less than the array size before writing. The fix is available in the Linux kernel via commit e9f1081bc775146156def0dbc821b92f35d56afb [1]. Users are advised to update to a patched version of the Linux kernel. No specific workaround is mentioned, and the EOL status or KEV listing for affected versions is not yet disclosed in the available references.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
16d748603f12bawifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 05c9c07591fcb..6ca31d4ea437b 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
ecb1c1631667wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 4c6e57f9976de..edd5ca4ef81da 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1693,7 +1693,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
9dd6aae4bc7bwifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index cef17f33c69ea..168b135f3cd9e 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1692,7 +1692,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
744c19e266b0wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index c59c144831770..04558fff0a99a 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
83226c71af53wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index c59c144831770..04558fff0a99a 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
d6869537013bwifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 4d88b02ffa795..917e1b087924f 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
e9f1081bc775wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 4d88b02ffa795..917e1b087924f 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
568173ad9bd0wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 05c9c07591fcb..6ca31d4ea437b 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
ecb1c1631667wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 4c6e57f9976de..edd5ca4ef81da 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1693,7 +1693,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
83226c71af53wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index c59c144831770..04558fff0a99a 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
744c19e266b0wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index c59c144831770..04558fff0a99a 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
9dd6aae4bc7bwifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index cef17f33c69ea..168b135f3cd9e 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1692,7 +1692,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
d6869537013bwifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 4d88b02ffa795..917e1b087924f 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
d748603f12bawifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 05c9c07591fcb..6ca31d4ea437b 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
e9f1081bc775wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 4d88b02ffa795..917e1b087924f 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
568173ad9bd0wifi: ath5k: do not access array OOB
1 file changed · +2 −2
drivers/net/wireless/ath/ath5k/base.c+2 −2 modifieddiff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index 05c9c07591fcb..6ca31d4ea437b 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb, } info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; - info->status.rates[ts->ts_final_idx + 1].idx = -1; + if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) + info->status.rates[ts->ts_final_idx + 1].idx = -1; if (unlikely(ts->ts_status)) { ah->stats.ack_fail++; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The ath5k driver incorrectly accesses an array out of bounds when setting a transmission status."
Attack vector
An attacker can trigger this vulnerability by sending specific network traffic that causes the ath5k driver to perform an out-of-bounds write. This occurs when the `ts->ts_final_idx` variable, which determines the array index, reaches a value that, when incremented, exceeds the bounds of the `rates` array.
Affected code
The vulnerability exists in the `ath5k_tx_frame_completed` function within `drivers/net/wireless/ath/ath5k/base.c`. Specifically, the line `info->status.rates[ts->ts_final_idx + 1].idx = -1;` attempts to write to an array index that may be out of bounds.
What the fix does
The patch adds a check to ensure that the array index `ts->ts_final_idx + 1` is less than `IEEE80211_TX_MAX_RATES` before writing to `info->status.rates`. This prevents the out-of-bounds write by ensuring the index remains within the allocated bounds of the `rates` array, thus resolving the UBSAN warning and potential memory corruption.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57nvd
- git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacfnvd
- git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020nvd
- git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769nvd
- git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934nvd
- git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbdnvd
- git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afbnvd
- git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8envd
News mentions
2- Google Android SDK: 10 Linux Kernel Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026
- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026Vypr Intelligence · Jun 8, 2026