CVE-2026-46307 Overview
CVE-2026-46307 is an out-of-bounds array access vulnerability in the Linux kernel's ath5k wireless driver. The flaw resides in drivers/net/wireless/ath/ath5k/base.c at line 1741, where the driver writes a sentinel value (idx = -1) one element past the end of the ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES] array. When ts->ts_final_idx reaches 3 on AR5212-based hardware, the access overflows the four-element array. The Undefined Behavior Sanitizer (UBSAN) flagged the issue during runtime. The patched kernel constrains the sentinel write to indices within the array bounds.
Critical Impact
Local out-of-bounds write in the ath5k Wi-Fi driver triggers UBSAN warnings and overwrites the adjacent ack_signal field within info->status, with negligible runtime effect but undefined behavior in kernel memory.
Affected Products
- Linux kernel branches containing the ath5k wireless driver
- Systems using Atheros AR5212-based 802.11 a/b/g wireless chipsets
- Distributions shipping kernels prior to the fix commits referenced in the kernel.org stable tree
Discovery Timeline
- 2026-06-08 - CVE-2026-46307 published to the National Vulnerability Database
- 2026-06-08 - Last updated in the NVD database
Technical Details for CVE-2026-46307
Vulnerability Analysis
The vulnerability is an [Out-of-Bounds Write] in the ath5k_tasklet_tx code path. The driver populates rate retry information in info->status.rates[], an array declared as struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES] where IEEE80211_TX_MAX_RATES equals 4. After processing the final rate index, the driver writes a sentinel value to rates[ts->ts_final_idx + 1].idx = -1 to mark the end of valid entries. On AR5212 hardware, ts->ts_final_idx can equal 3, producing an access to rates[4] — one element beyond the array's defined bounds.
UBSAN detected the access at runtime and emitted an array-index-out-of-bounds report with a call trace through ath5k_tasklet_tx and tasklet_action_common. According to the upstream commit message, the practical effect is limited: the write overflows into the adjacent ack_signal member of info->status rather than into unrelated memory. The fix conditionally writes the sentinel only when the next index is still within the array, relying on the fact that mac80211 does not read past IEEE80211_TX_MAX_RATES.
Root Cause
The root cause is missing bounds validation before writing the sentinel terminator. The driver assumed ts_final_idx + 1 would always remain within the four-element rate array, but hardware can legitimately report a final index of 3, causing the increment to exceed the array size.
Attack Vector
The code path executes inside a kernel tasklet handling Wi-Fi transmit completion, so it is not reachable through unauthenticated remote input in the usual sense. Triggering the condition requires the affected ath5k-driven hardware to complete transmission using the maximum number of retry rates. There is no known method to weaponize the write into privilege escalation because the corrupted field is bounded and immediately adjacent within the same structure.
The vulnerability is best described as a defensive correctness issue rather than an exploitable memory corruption primitive. See the kernel commit history for the exact patch diff.
Detection Methods for CVE-2026-46307
Indicators of Compromise
- UBSAN kernel log entries containing array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741
- Kernel stack traces showing ath5k_tasklet_tx followed by __ubsan_handle_out_of_bounds
- Systems running ath5k-driven Atheros AR5212 wireless adapters on unpatched kernels
Detection Strategies
- Enable CONFIG_UBSAN and CONFIG_UBSAN_BOUNDS in test kernels to surface the out-of-bounds access during runtime
- Inventory kernel versions across the fleet and compare against fixed commits such as 568173a, 744c19e, 83226c7, 9dd6aae, d686953, d748603, e9f1081, and ecb1c16
- Identify hosts loading the ath5k kernel module via lsmod or /proc/modules telemetry
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log output to a centralized logging platform and alert on UBSAN strings
- Track wireless driver module load events and correlate with kernel build versions
- Monitor patch compliance status for Linux endpoints using vulnerable kernel branches
How to Mitigate CVE-2026-46307
Immediate Actions Required
- Apply the upstream kernel patch referenced in the kernel.org stable commit d6869537 or pick up a distribution kernel update that includes the fix
- Reboot affected systems after kernel installation to load the patched ath5k module
- Validate that UBSAN no longer reports the out-of-bounds access after patching
Patch Information
The fix is distributed across multiple stable kernel branches via the commits listed in the kernel.org references, including 568173a, 744c19e, 83226c7, 9dd6aae, d686953, d748603, e9f1081, and ecb1c16. The patch wraps the sentinel write with a bounds check so rates[ts_final_idx + 1].idx = -1 executes only when the next index is below IEEE80211_TX_MAX_RATES.
Workarounds
- Blacklist the ath5k module on systems that do not require AR5212-based wireless connectivity until a patched kernel is deployed
- Replace legacy AR5212 hardware with adapters supported by modern drivers such as ath9k or ath10k
- Disable wireless interfaces on servers and fixed-function appliances that do not need Wi-Fi
# Blacklist the ath5k driver until the kernel patch is applied
echo "blacklist ath5k" | sudo tee /etc/modprobe.d/disable-ath5k.conf
sudo rmmod ath5k 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
