CVE-2026-43144 - Vulnerability Details

- wifi: brcmfmac: Fix potential kernel oops when probe fails

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix potential kernel oops when probe fails

When probe of the sdio brcmfmac device fails for some reasons (i.e.
missing firmware), the sdiodev->bus is set to error instead of NULL, thus
the cleanup later in brcmf_sdio_remove() tries to free resources via
invalid bus pointer. This happens because sdiodev->bus is set 2 times:
first in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix
this by chaning the brcmf_sdio_probe() function to return the error code
and set sdio->bus only there.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

During the probe of an SDIO brcmfmac Wi‑Fi device, the driver mistakenly assigns the bus pointer twice—once during the main probe and again during the SDIO probe. When the probe fails, this causes the driver to set the pointer to an invalid error value instead of NULL, and later the removal routine attempts to free resources through this corrupt pointer, triggering a kernel oops. The result is a local kernel crash that disrupts system availability and could be exploited to cause a denial‑of‑service state for the user or system.

Affected Systems

All Linux kernel installations containing the brcmfmac driver are affected, regardless of distribution, until the patched code is incorporated. The bug exists in any kernel revision prior to the fix, which is relevant to devices with internal Wi‑Fi adapters using the SDIO interface.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is 0.00022. The bug is not listed in the CISA KEV catalog. Because an attacker would need to trigger the SDIO probe failure—most likely by causing the system to lack the required firmware or by interacting with a removable Wi‑Fi adapter—the risk is constrained to local exploitation. Successful exploitation results in a kernel oops and consequent reboot or loss of service for the affected device, with no confirmed privilege escalation or data compromise reported.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0ff0843310b74e565901d85f849fb308c3b1f220`	affected	< 64ccb0aac41c5055780c2a58bbe2c1b362ceccde
`0ff0843310b74e565901d85f849fb308c3b1f220`	affected	< 379aac7ee8240848aa35f605b06addb4617c863e
`0ff0843310b74e565901d85f849fb308c3b1f220`	affected	< 243307a0d1b0d01538e202c00454c28b21d4432e

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0ff0843310b74e565901d85f849fb308c3b1f220,64ccb0aac41c5055780c2a58bbe2c1b362ceccde)`	affected	code_commit	—
`[0ff0843310b74e565901d85f849fb308c3b1f220,379aac7ee8240848aa35f605b06addb4617c863e)`	affected	code_commit	—
`[0ff0843310b74e565901d85f849fb308c3b1f220,243307a0d1b0d01538e202c00454c28b21d4432e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.13`	affected	generic	—
`[0,6.13)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the brcmfmac patch from commit d1b0d01538e202c00454c28b21d4432e
Ensure that the firmware package for brcmfmac SDIO devices is installed and up‑to‑date to prevent probe failures
If an immediate kernel upgrade is not possible, temporarily disable the offending Wi‑Fi adapter to avoid trigger of the crash

Generated by OpenCVE AI on May 13, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/243307a0d1b0d01538e202c00454c28b21d4432e
https://git.kernel.org/stable/c/379aac7ee8240848aa35f605b06addb4617c863e
https://git.kernel.org/stable/c/64ccb0aac41c5055780c2a58bbe2c1b362ceccde
https://lore.kernel.org/linux-cve-announce/2026050626-CVE-2026-43144-720d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43144
https://www.cve.org/CVERecord?id=CVE-2026-43144

History

Wed, 13 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

Thu, 07 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-476

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-763
References		https://lore.kernel.org/linux-cve-announce/2026050626-CVE-2026-43144-720d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43144 https://www.cve.org/CVERecord?id=CVE-2026-43144
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential kernel oops when probe fails When probe of the sdio brcmfmac device fails for some reasons (i.e. missing firmware), the sdiodev->bus is set to error instead of NULL, thus the cleanup later in brcmf_sdio_remove() tries to free resources via invalid bus pointer. This happens because sdiodev->bus is set 2 times: first in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix this by chaning the brcmf_sdio_probe() function to return the error code and set sdio->bus only there.
Title		wifi: brcmfmac: Fix potential kernel oops when probe fails
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/243307a0d1b0d01538e202c00454c28b21d4432e https://git.kernel.org/stable/c/379aac7ee8240848aa35f605b06addb4617c863e https://git.kernel.org/stable/c/64ccb0aac41c5055780c2a58bbe2c1b362ceccde

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:28.220Z

Updated: 2026-05-11T22:18:36.548Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43144

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:31.870

Modified: 2026-05-13T21:10:13.997

Link: CVE-2026-43144

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43144 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-13T23:15:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object