How is CVE-2026-46307 exploited?

Network reachability (info): The attacker must be on the same adjacent network segment, such as a local Wi-Fi network or LAN, to reach the vulnerable ath5k driver path; remote internet-based access is not sufficient. Authentication (not-required): No credentials or prior authentication are needed to trigger the out-of-bounds write through the ath5k transmit-completion tasklet. Victim interaction (not-required): No action from a user or operator on the target system is required; exploitation is passive from the victim's perspective. Attack complexity (info): Exploit conditions are straightforward and require no special timing, race conditions, or environmental prerequisites beyond adjacency to the wireless interface.

What is the impact of CVE-2026-46307?

Attacker overwrites kernel memory adjacent to the rate array, specifically the ack_signal field in the tx status structure, enabling targeted memory manipulation. High confidentiality impact: kernel memory contents in the affected region can be read, including data structures that may hold sensitive network or session information. High integrity impact: the out-of-bounds write allows corruption of kernel data adjacent to the transmit-rate array, which can alter driver behavior or be leveraged for further exploitation. Limited availability impact: the write targets a narrow memory region and is unlikely to crash the system outright, though repeated triggering may cause unpredictable driver state.

Back to search

HIGHCVE-2026-46307Published 2026-06-08Modified 2026-06-14CNA Linux

CVE-2026-46307: wifi: ath5k: do not access array OOB

In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0 It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus. Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES). Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal.

CVSS v3.1: 8.3
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

An out-of-bounds array write exists in the Linux kernel's ath5k Wi-Fi driver (drivers/net/wireless/ath/ath5k/base.c). The flaw is reachable from the adjacent network, requires no authentication, and allows an attacker within Wi-Fi range to trigger the vulnerable transmit-completion path. Successful exploitation gives the attacker high-confidence read and write access to kernel memory regions, with limited disruption to service availability. Patched-image rebuilds at versions 5.10.258, 5.15.209, and 6.1.175 are available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected kernel versions.

Available

Triage

HarborGuard scores this CVE at CVSS 8.3 (HIGH) and weights it against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at the fixed kernel versions (5.10.258, 5.15.209, or 6.1.175, depending on the branch in use) becomes available through HarborGuard once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same adjacent network segment, such as a local Wi-Fi network or LAN, to reach the vulnerable ath5k driver path; remote internet-based access is not sufficient.
AuthenticationNot required
No credentials or prior authentication are needed to trigger the out-of-bounds write through the ath5k transmit-completion tasklet.
Victim interactionNot required
No action from a user or operator on the target system is required; exploitation is passive from the victim's perspective.
Attack complexityDetail
Exploit conditions are straightforward and require no special timing, race conditions, or environmental prerequisites beyond adjacency to the wireless interface.

Blast Radius

Attacker overwrites kernel memory adjacent to the rate array, specifically the ack_signal field in the tx status structure, enabling targeted memory manipulation.
High confidentiality impact: kernel memory contents in the affected region can be read, including data structures that may hold sensitive network or session information.
High integrity impact: the out-of-bounds write allows corruption of kernel data adjacent to the transmit-rate array, which can alter driver behavior or be leveraged for further exploitation.
Limited availability impact: the write targets a narrow memory region and is unlikely to crash the system outright, though repeated triggering may cause unpredictable driver state.

How HarborGuard Handles This

Available on HarborGuard: once upstream fixes at 5.10.258, 5.15.209, 6.1.175, or the equivalent commit (568173ad9bd0b46cc6cd937dea8791e9b5eefa57) are confirmed, a patched-image rebuild becomes available for any customer image bundling an affected kernel. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy does not permit auto-remediation, the finding is surfaced in the customer dashboard with the specific kernel version range and the recommended target version clearly identified. As an interim compensating control, customers can apply network policy rules to restrict adjacent-network access to hosts running the ath5k driver, reducing the exposure window until the patched image is deployed.

See how HarborGuard automates this

Fix available

05.10.2585.15.209568173ad9bd0b46cc6cd937dea8791e9b5eefa576.1.1756.6.1406.12.886.18.307.0.77.1-rc3744c19e266b0d2628c5951439195dcef27eadacf83226c71af53fb9b3cad40cb9a9a79f36d68c0209dd6aae4bc7bfa11088d928670a3315eae542769d6869537013b1f21b292342752d97868b79b5934d748603f12baff112caa3ab7d39f50100f010dbde9f1081bc775146156def0dbc821b92f35d56afbecb1c163166759dec004c1fdb9709b8a5992fc8e

Affected packages

Linux / Linux
< ecb1c163166759dec004c1fdb9709b8a5992fc8e (from 6d7b97b23e114c8fbb825e6721164d228c1af3fc) · < 9dd6aae4bc7bfa11088d928670a3315eae542769 (from 6d7b97b23e114c8fbb825e6721164d228c1af3fc) · < 744c19e266b0d2628c5951439195dcef27eadacf (from 6d7b97b23e114c8fbb825e6721164d228c1af3fc) · < 83226c71af53fb9b3cad40cb9a9a79f36d68c020 (from 6d7b97b23e114c8fbb825e6721164d228c1af3fc) · < d6869537013b1f21b292342752d97868b79b5934 (from 6d7b97b23e114c8fbb825e6721164d228c1af3fc) · < e9f1081bc775146156def0dbc821b92f35d56afb (from 6d7b97b23e114c8fbb825e6721164d228c1af3fc)
Linux / Linux
3.0
Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available