Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: wl1251: validate packet IDs before indexing tx_frames

wl1251_tx_packet_cb() uses the firmware completion ID directly to index
the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
completion block, and the callback does not currently verify that it
fits the array before dereferencing it.

Reject completion IDs that fall outside wl->tx_frames[] and keep the
existing NULL check in the same guard. This keeps the fix local to the
trust boundary and avoids touching the rest of the completion flow.
Published: 2026-05-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wl1251 Wi-Fi driver indices a 16-entry array using a firmware completion ID without verifying the bounds of the index. When a completion ID larger than 15 is received, the driver dereferences an array out of bounds, corrupting kernel memory. This unchecked array index flaw can precipitate a kernel crash or, if an attacker controls the context, privilege escalation. The vulnerability aligns with CWE-1285 (improper validation of array bounds) and CWE-476 (null pointer dereference), indicating both improper input validation and potential null pointer issues.

Affected Systems

Vendor: Linux. Product: Linux kernel that includes the wl1251 Wi-Fi driver. No specific kernel version list is supplied, so any kernel build containing this driver may be affected.

Risk and Exploitability

Based on the description, it is inferred that an attacker could trigger the vulnerable callback by sending crafted frames to the wireless interface, possibly from a nearby device or a remote attacker with wireless access. The EPSS score is reported as less than 1% and the CVSS score is 8.8. The vulnerability is not listed in CISA's KEV catalog. This unchecked index makes exploitation plausible and the severity of the flaw is high according to the CVSS score.

Generated by OpenCVE AI on May 8, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that incorporates the wl1251_tx_packet_cb() patch
  • If a patch is not yet available, disable the wl1251 driver or bring the wireless interface down to remove the exploit surface
  • Ensure the wireless firmware remains from a trusted source and apply any available firmware updates to eliminate the risk of tampering

Generated by OpenCVE AI on May 8, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow.
Title wifi: wl1251: validate packet IDs before indexing tx_frames
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:59.275Z

Reserved: 2026-05-01T14:12:55.986Z

Link: CVE-2026-43113

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:25.050

Modified: 2026-05-08T17:58:54.773

Link: CVE-2026-43113

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43113 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:15:15Z

Weaknesses