HIGHCVE-2026-43113Published Modified CNA Linux
CVE-2026-43113: wifi: wl1251: validate packet IDs before indexing tx_frames
In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
00fd56fad9c56356e7fa7a7c52e7ecbf807a44eb026ee518695c484f75e3606d631278e84bd24ae026.6.1366.12.836.18.246.19.147.08d7465be5163a923ee5d7459719ef5a021c1584ab6ba1eacf276063ebeefbbae8056043c24f2efafdf15adc692a802636dd3f258fc7cca8bf7a0ed9a
Affected packages
- Linux / Linux< b6ba1eacf276063ebeefbbae8056043c24f2efaf (from 2f01a1f58889fbfeb68b1bc1b52e4197f3333490) · < df15adc692a802636dd3f258fc7cca8bf7a0ed9a (from 2f01a1f58889fbfeb68b1bc1b52e4197f3333490) · < 8d7465be5163a923ee5d7459719ef5a021c1584a (from 2f01a1f58889fbfeb68b1bc1b52e4197f3333490) · < 26ee518695c484f75e3606d631278e84bd24ae02 (from 2f01a1f58889fbfeb68b1bc1b52e4197f3333490) · < 0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 (from 2f01a1f58889fbfeb68b1bc1b52e4197f3333490)
- Linux / Linux2.6.31Fixed in 0, 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H