CVE-2026-46152 Overview
CVE-2026-46152 is a concurrency flaw in the Linux kernel's mac80211 wireless subsystem. The function ieee80211_invoke_fast_rx() is documented as safe for parallel receive (RX) processing, but its per-invocation rx_result variable was declared static. Concurrent callers shared a single instance and could overwrite each other's result between ieee80211_rx_mesh_data() and the subsequent switch on res.
The race can cause a packet that was queued or consumed by ieee80211_rx_mesh_data() to fall through into ieee80211_rx_8023(), or cause a packet that should continue processing to be incorrectly treated as queued. The fix promotes res to an automatic (stack) variable so each invocation maintains its own result.
Critical Impact
Concurrent fast-RX paths in mac80211 can corrupt per-packet processing state, leading to mishandled wireless frames, kernel-level packet logic errors, and potential mesh networking instability.
Affected Products
- Linux kernel versions containing the ieee80211_invoke_fast_rx() fast-RX path with the static rx_result declaration
- Linux distributions shipping mac80211-based wireless stacks (mesh and 802.3 RX paths)
- Wireless drivers and hardware relying on the kernel mac80211 framework for RX processing
Discovery Timeline
- 2026-05-28 - CVE-2026-46152 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46152
Vulnerability Analysis
The vulnerability resides in the ieee80211_invoke_fast_rx() function inside the Linux kernel mac80211 subsystem. This function handles the fast-RX path for received wireless frames and is explicitly designed to be invoked in parallel across multiple CPUs. Parallel invocation requires that all per-call state remain isolated to each invocation.
The rx_result variable, which records the outcome of intermediate processing such as ieee80211_rx_mesh_data(), was declared static. A static declaration inside a function creates a single shared instance with program lifetime. Concurrent callers therefore wrote to and read from the same memory location without synchronization.
The race window sits between the write to res by ieee80211_rx_mesh_data() and the subsequent switch (res) dispatch. Under contention, one thread's outcome could overwrite another's. The result is inconsistent control flow: frames already queued or consumed by the mesh data handler could fall through to ieee80211_rx_8023() for redundant processing, and frames that should continue could be incorrectly classified as queued and dropped from the active path.
Root Cause
The root cause is the misuse of the static storage class for a variable that must hold per-invocation state. In C, function-scope static variables persist across calls and are shared across all threads invoking the function. The fast-RX path requires automatic (stack) storage so each parallel invocation maintains its own rx_result.
Attack Vector
Triggering this race condition requires concurrent wireless RX activity processed through the fast-RX path, particularly involving mesh data frames. The flaw is not a traditional remote-code-execution primitive. It manifests as a logic and stability defect under load. Consequences include packet mishandling, mesh networking malfunction, and potential denial-of-service conditions on affected wireless interfaces.
The vulnerability is described in prose only; no public proof-of-concept code is referenced. See the upstream commits in the Linux kernel stable tree for technical details on the corrected code path.
Detection Methods for CVE-2026-46152
Indicators of Compromise
- Unexpected duplication or loss of wireless frames on systems using mac80211 mesh networking under concurrent RX load
- Kernel logs reporting anomalous frame handling, mesh forwarding errors, or unexpected 802.3 conversion of frames that should have been consumed by the mesh data path
- Wireless interface instability or throughput regression on multi-CPU systems with active mesh traffic
Detection Strategies
- Inventory Linux kernel versions in use and compare against the patched commits referenced in the kernel stable tree to determine exposure
- Monitor wireless driver telemetry and dmesg output for mac80211 warnings tied to fast-RX and mesh processing
- Audit endpoints and infrastructure devices that run mesh networking workloads on the Linux kernel
Monitoring Recommendations
- Track kernel package versions across the fleet and alert on hosts running unpatched mac80211 builds
- Correlate wireless interface error counters with CPU concurrency metrics to identify race-driven anomalies
- Centralize kernel and network logs for retrospective analysis when stability issues are reported
How to Mitigate CVE-2026-46152
Immediate Actions Required
- Apply the upstream Linux kernel patch that removes the static qualifier from rx_result in ieee80211_invoke_fast_rx()
- Update to a stable kernel release that includes one of the referenced fix commits and reboot affected systems
- Prioritize patching for hosts and devices that operate as mesh nodes or carry significant wireless RX load
Patch Information
The fix changes res from a static variable to an automatic variable so each parallel invocation of ieee80211_invoke_fast_rx() retains its own result. The corrected code is available in the following kernel stable tree commits: 03584528bfff, 1739fc31b4de, 3ef44f96ccc3, 7a5b81e0c87a, and e131562d6f2b.
Workarounds
- Where patching is not immediately possible, reduce exposure by disabling mesh networking features on affected wireless interfaces
- Limit concurrent RX paths by constraining wireless workloads on multi-CPU hosts until the kernel update is deployed
- Apply vendor-supplied backports from your Linux distribution as soon as they become available
# Verify kernel version and check for patched mac80211 build
uname -r
modinfo mac80211 | grep -E 'version|srcversion'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
