How is CVE-2026-46152 exploited?

Network reachability (info): The attacker must be on the same adjacent network segment as the target, such as the same Wi-Fi network, LAN, or VPN - remote internet-based exploitation is not possible with this vector. Authentication (not-required): No credentials or session token of any kind are needed; an unauthenticated attacker on the adjacent network can trigger the race condition directly. Victim interaction (not-required): No user action is needed; the vulnerability is triggered purely by sending crafted wireless frames to the affected kernel. Attack complexity (info): The exploit is reliable and imposes no special environmental preconditions, though the underlying bug is a race between concurrent RX threads, meaning timing across parallel processors is involved.

What is the impact of CVE-2026-46152?

An attacker can read in-flight wireless packet data, exposing session tokens, credentials, or other sensitive payload contents processed by the affected kernel. An attacker can cause packets to be misrouted through ieee80211_rx_8023() or incorrectly marked as queued, corrupting the integrity of received network traffic. A packet that should have been consumed or dropped by the mesh data path can instead be injected into the 802.3 processing path, enabling unauthorized data injection. Repeated exploitation of the race can cause the wireless subsystem to process packets in undefined states, crashing the affected service or destabilizing the Wi-Fi stack entirely.

Back to search

HIGHCVE-2026-46152Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46152: wifi: mac80211: drop stray 'static' from fast-RX rx_result

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A race condition in the Linux kernel's mac80211 Wi-Fi subsystem allows concurrent wireless packet processing to corrupt shared per-invocation state. The flaw is reachable from the adjacent network (same Wi-Fi segment, LAN, or VPN) without any authentication. Successful exploitation lets an attacker read sensitive data, tamper with network traffic, or disrupt wireless service. A patched-image rebuild at fix version 6.6.140 (and the corresponding upstream commit hashes) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment - CVE-2026-46152 is ingested from upstream kernel advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected Linux kernel version. Any image running a vulnerable kernel release is flagged in the customer's registry and CI/CD pipeline scan results automatically.

Available

Triage

HarborGuard scores this issue at CVSS 8.8 (HIGH) using the v3.1 vector and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild pinned to Linux 6.6.140 (or the relevant upstream commit) becomes available through HarborGuard once the fix version is confirmed in the upstream feed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test pass, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network segment as the target, such as the same Wi-Fi network, LAN, or VPN - remote internet-based exploitation is not possible with this vector.
AuthenticationNot required
No credentials or session token of any kind are needed; an unauthenticated attacker on the adjacent network can trigger the race condition directly.
Victim interactionNot required
No user action is needed; the vulnerability is triggered purely by sending crafted wireless frames to the affected kernel.
Attack complexityDetail
The exploit is reliable and imposes no special environmental preconditions, though the underlying bug is a race between concurrent RX threads, meaning timing across parallel processors is involved.

Blast Radius

An attacker can read in-flight wireless packet data, exposing session tokens, credentials, or other sensitive payload contents processed by the affected kernel.
An attacker can cause packets to be misrouted through ieee80211_rx_8023() or incorrectly marked as queued, corrupting the integrity of received network traffic.
A packet that should have been consumed or dropped by the mesh data path can instead be injected into the 802.3 processing path, enabling unauthorized data injection.
Repeated exploitation of the race can cause the wireless subsystem to process packets in undefined states, crashing the affected service or destabilizing the Wi-Fi stack entirely.

How HarborGuard Handles This

Available on HarborGuard: images running a Linux kernel version affected by CVE-2026-46152 are matched automatically at ingest, with findings surfaced in registry and pipeline scan results within minutes of the advisory being published. For environments where compliance policy permits auto-remediation, HarborGuard can rebuild the affected image at Linux 6.6.140 or the applicable upstream commit, execute a regression test run, and open a pull request against affected workloads - median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is routed to the designated team inbox with full CVSS context and fix-version detail so engineers can act manually. As a compensating control while a rebuild is staged, customers can apply network policy isolation to restrict adjacent-network access to Wi-Fi-exposed workloads and limit lateral reach from the same LAN or VPN segment.

See how HarborGuard automates this

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

003584528bfffb195e384698af9148b94e42e3f141739fc31b4de06c5c78ce0741182770fb079091e3ef44f96ccc3e06e059dec57842e366f0c4b18936.6.1406.12.886.18.307.0.77.1-rc37a5b81e0c87a075afd572f659d8eb68c9c4cd2bae131562d6f2b958148c35c98831b007f47f0e3d3

Affected packages

Linux / Linux
< 03584528bfffb195e384698af9148b94e42e3f14 (from 3468e1e0c639032a603450f0830ccabfa76f5806) · < 1739fc31b4de06c5c78ce0741182770fb079091e (from 3468e1e0c639032a603450f0830ccabfa76f5806) · < e131562d6f2b958148c35c98831b007f47f0e3d3 (from 3468e1e0c639032a603450f0830ccabfa76f5806) · < 3ef44f96ccc3e06e059dec57842e366f0c4b1893 (from 3468e1e0c639032a603450f0830ccabfa76f5806) · < 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba (from 3468e1e0c639032a603450f0830ccabfa76f5806)
Linux / Linux
6.4
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available