{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-46307: wifi: ath5k: do not access array OOB","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-46307","status":"final","version":"1","initial_release_date":"2026-06-08T15:46:35.059Z","current_release_date":"2026-06-14T04:30:07.952Z","revision_history":[{"date":"2026-06-08T15:46:35.059Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath5k: do not access array OOB\n\nVincent reports:\n> The ath5k driver seems to do an array-index-out-of-bounds access as\n> shown by the UBSAN kernel message:\n> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\n> index 4 is out of range for type 'ieee80211_tx_rate [4]'\n> ...\n> Call Trace:\n>  <TASK>\n>  dump_stack_lvl+0x5d/0x80\n>  ubsan_epilogue+0x5/0x2b\n>  __ubsan_handle_out_of_bounds.cold+0x46/0x4b\n>  ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\n>  tasklet_action_common+0xb5/0x1c0\n\nIt is real. 'ts->ts_final_idx' can be 3 on 5212, so:\n   info->status.rates[ts->ts_final_idx + 1].idx = -1;\nwith the array defined as:\n   struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\nwhile the size is:\n   #define IEEE80211_TX_MAX_RATES  4\nis indeed bogus.\n\nSet this 'idx = -1' sentinel only if the array index is less than the\narray size. As mac80211 will not look at rates beyond the size\n(IEEE80211_TX_MAX_RATES).\n\nNote: The effect of the OOB write is negligible. It just overwrites the\nnext member of info->status, i.e. ack_signal.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-46307 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-46307"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-46307"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd"}]},"product_tree":{"branches":[{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version_range","name":">=6d7b97b23e114c8fbb825e6721164d228c1af3fc <ecb1c163166759dec004c1fdb9709b8a5992fc8e","product":{"name":"Linux Linux >=6d7b97b23e114c8fbb825e6721164d228c1af3fc <ecb1c163166759dec004c1fdb9709b8a5992fc8e","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=6d7b97b23e114c8fbb825e6721164d228c1af3fc <9dd6aae4bc7bfa11088d928670a3315eae542769","product":{"name":"Linux Linux >=6d7b97b23e114c8fbb825e6721164d228c1af3fc <9dd6aae4bc7bfa11088d928670a3315eae542769","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=6d7b97b23e114c8fbb825e6721164d228c1af3fc <744c19e266b0d2628c5951439195dcef27eadacf","product":{"name":"Linux Linux >=6d7b97b23e114c8fbb825e6721164d228c1af3fc <744c19e266b0d2628c5951439195dcef27eadacf","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=6d7b97b23e114c8fbb825e6721164d228c1af3fc <83226c71af53fb9b3cad40cb9a9a79f36d68c020","product":{"name":"Linux Linux >=6d7b97b23e114c8fbb825e6721164d228c1af3fc <83226c71af53fb9b3cad40cb9a9a79f36d68c020","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=6d7b97b23e114c8fbb825e6721164d228c1af3fc <d6869537013b1f21b292342752d97868b79b5934","product":{"name":"Linux Linux >=6d7b97b23e114c8fbb825e6721164d228c1af3fc <d6869537013b1f21b292342752d97868b79b5934","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=6d7b97b23e114c8fbb825e6721164d228c1af3fc <e9f1081bc775146156def0dbc821b92f35d56afb","product":{"name":"Linux Linux >=6d7b97b23e114c8fbb825e6721164d228c1af3fc <e9f1081bc775146156def0dbc821b92f35d56afb","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=6d7b97b23e114c8fbb825e6721164d228c1af3fc <568173ad9bd0b46cc6cd937dea8791e9b5eefa57","product":{"name":"Linux Linux >=6d7b97b23e114c8fbb825e6721164d228c1af3fc <568173ad9bd0b46cc6cd937dea8791e9b5eefa57","product_id":"CSAFPID-7","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=6d7b97b23e114c8fbb825e6721164d228c1af3fc <d748603f12baff112caa3ab7d39f50100f010dbd","product":{"name":"Linux Linux >=6d7b97b23e114c8fbb825e6721164d228c1af3fc <d748603f12baff112caa3ab7d39f50100f010dbd","product_id":"CSAFPID-8","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version","name":"3.0","product":{"name":"Linux Linux 3.0","product_id":"CSAFPID-9","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"0","product":{"name":"Linux Linux 0","product_id":"CSAFPID-10","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"5.10.258","product":{"name":"Linux Linux 5.10.258","product_id":"CSAFPID-11","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"5.15.209","product":{"name":"Linux Linux 5.15.209","product_id":"CSAFPID-12","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.1.175","product":{"name":"Linux Linux 6.1.175","product_id":"CSAFPID-13","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.6.140","product":{"name":"Linux Linux 6.6.140","product_id":"CSAFPID-14","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.12.88","product":{"name":"Linux Linux 6.12.88","product_id":"CSAFPID-15","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.18.30","product":{"name":"Linux Linux 6.18.30","product_id":"CSAFPID-16","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.0.7","product":{"name":"Linux Linux 7.0.7","product_id":"CSAFPID-17","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1-rc3","product":{"name":"Linux Linux 7.1-rc3","product_id":"CSAFPID-18","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.0:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-46307","title":"wifi: ath5k: do not access array OOB","notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath5k: do not access array OOB\n\nVincent reports:\n> The ath5k driver seems to do an array-index-out-of-bounds access as\n> shown by the UBSAN kernel message:\n> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\n> index 4 is out of range for type 'ieee80211_tx_rate [4]'\n> ...\n> Call Trace:\n>  <TASK>\n>  dump_stack_lvl+0x5d/0x80\n>  ubsan_epilogue+0x5/0x2b\n>  __ubsan_handle_out_of_bounds.cold+0x46/0x4b\n>  ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\n>  tasklet_action_common+0xb5/0x1c0\n\nIt is real. 'ts->ts_final_idx' can be 3 on 5212, so:\n   info->status.rates[ts->ts_final_idx + 1].idx = -1;\nwith the array defined as:\n   struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\nwhile the size is:\n   #define IEEE80211_TX_MAX_RATES  4\nis indeed bogus.\n\nSet this 'idx = -1' sentinel only if the array index is less than the\narray size. As mac80211 will not look at rates beyond the size\n(IEEE80211_TX_MAX_RATES).\n\nNote: The effect of the OOB write is negligible. It just overwrites the\nnext member of info->status, i.e. ack_signal.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9"],"fixed":["CSAFPID-10","CSAFPID-11","CSAFPID-12","CSAFPID-13","CSAFPID-14","CSAFPID-15","CSAFPID-16","CSAFPID-17","CSAFPID-18"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":8.3,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0, 5.10.258, 5.15.209, 568173ad9bd0b46cc6cd937dea8791e9b5eefa57, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc3, 744c19e266b0d2628c5951439195dcef27eadacf, 83226c71af53fb9b3cad40cb9a9a79f36d68c020, 9dd6aae4bc7bfa11088d928670a3315eae542769, d6869537013b1f21b292342752d97868b79b5934, d748603f12baff112caa3ab7d39f50100f010dbd, e9f1081bc775146156def0dbc821b92f35d56afb, ecb1c163166759dec004c1fdb9709b8a5992fc8e.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9"]}]}]}