CVE-2026-46180 Overview
CVE-2026-46180 is a use-after-free vulnerability in the Linux kernel's Broadcom FullMAC WLAN driver (brcmfmac). The flaw exists in the watchdog task shutdown path, where the kernel thread can terminate between the send_sig() and kthread_stop() calls. This race condition causes kthread_stop() to operate on a freed task_struct, leading to memory corruption in kernel space. The upstream fix increases the watchdog task reference count before signaling and switches to kthread_stop_put() to safely release it.
Critical Impact
A successful trigger of this race condition results in kernel-space use-after-free, which can cause system instability, denial of service, or potentially be leveraged for privilege escalation on systems using Broadcom FullMAC Wi-Fi hardware.
Affected Products
- Linux kernel builds including the brcmfmac Broadcom FullMAC WLAN driver
- Devices and distributions using Broadcom FullMAC Wi-Fi chipsets
- Stable kernel branches prior to the commits referenced in the upstream fix
Discovery Timeline
- 2026-05-28 - CVE-2026-46180 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46180
Vulnerability Analysis
The vulnerability resides in the Broadcom FullMAC WLAN driver (brcmfmac) watchdog teardown logic. When the driver shuts down its watchdog kernel thread, it issues send_sig() to wake the thread, then calls kthread_stop() to join it. If the watchdog thread exits on its own between these two calls, its task_struct is released. The subsequent kthread_stop() call then dereferences a freed structure, producing a kernel use-after-free condition [CWE-416].
This is a classic race window in kernel thread lifecycle management. Exploitation requires triggering watchdog termination at the precise moment the driver is tearing down, which typically aligns with adapter removal, suspend/resume cycles, or firmware reload events.
Root Cause
The root cause is missing reference counting on the watchdog task_struct across the signal-and-stop sequence. Without holding an explicit reference via get_task_struct(), the kernel cannot guarantee the task remains valid between send_sig() and kthread_stop(). The fix raises the reference count before signaling and uses kthread_stop_put() to atomically stop the thread and drop the reference.
Attack Vector
The attack vector is local. Triggering the race requires the ability to induce brcmfmac driver teardown, such as removing or rebinding the device, toggling Wi-Fi state, or initiating suspend/resume cycles. The vulnerability does not appear remotely exploitable through wireless traffic alone, and no public exploit is available. The condition is timing-dependent, which limits reliable weaponization but does not eliminate denial-of-service risk on affected hardware.
No verified exploit code is available. Refer to the upstream kernel patch for the precise code change.
Detection Methods for CVE-2026-46180
Indicators of Compromise
- Kernel oops or panic messages referencing brcmfmac, kthread_stop, or task_struct in dmesg and /var/log/kern.log
- KASAN use-after-free reports tagged against the brcmfmac watchdog thread on debug kernels
- Unexpected Wi-Fi adapter resets, driver reload loops, or system hangs during suspend/resume on Broadcom hardware
Detection Strategies
- Audit running kernel versions across the fleet and compare against the fixed stable branches referenced in the upstream commits
- Enable KASAN on test systems to surface the use-after-free during driver teardown scenarios
- Correlate kernel crash telemetry with brcmfmac module load/unload events
Monitoring Recommendations
- Forward kernel.crit and kernel.err syslog facilities to a centralized log platform for analysis
- Track unplanned reboots and crash dumps on endpoints with Broadcom Wi-Fi hardware
- Alert on repeated brcmfmac module reloads, which may indicate the race is being triggered
How to Mitigate CVE-2026-46180
Immediate Actions Required
- Inventory Linux systems using the brcmfmac driver via lsmod | grep brcmfmac and prioritize patching
- Apply vendor-supplied kernel updates from your distribution as soon as they include the upstream fix
- On unpatched systems, restrict local access and avoid unnecessary driver reload or device rebind operations
Patch Information
The vulnerability is resolved upstream across multiple stable branches. Reference the fix commits: 658d2e46c2e9, 908b92231e1d, c623b6358088, d16827cb1d39, and ed4168d1a50f. The fix adds a reference grab before send_sig() and replaces kthread_stop() with kthread_stop_put().
Workarounds
- Blacklist the brcmfmac module on systems that do not require Broadcom Wi-Fi: add blacklist brcmfmac to /etc/modprobe.d/blacklist.conf
- Disable Wi-Fi at the hardware or BIOS level on systems where wireless is not in use
- Limit local user accounts that can trigger driver teardown via rfkill, nmcli, or device rebinding
# Verify installed kernel and brcmfmac module status
uname -r
modinfo brcmfmac | grep -E 'filename|version|srcversion'
# Optional: blacklist the driver until patched kernel is deployed
echo 'blacklist brcmfmac' | sudo tee /etc/modprobe.d/brcmfmac-blacklist.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
