CVE-2026-46122 Linux CVE debrief

Who should care

Organizations running Linux systems with Broadcom 43xx wireless hardware; kernel maintainers and distributors packaging b43 driver; security teams tracking Linux kernel wireless subsystem vulnerabilities

Technical summary

The b43_rx() function in drivers/net/wireless/broadcom/b43/main.c processes received 802.11 frames using a key index provided by firmware. The dev->key[] array is fixed at 58 entries (B43_NR_KEYS). The existing B43_WARN_ON(index >= B43_NR_KEYS) check uses WARN_ON which compiles to a no-op in production builds when CONFIG_BUG is not enabled, allowing the out-of-bounds access to proceed. The resolution replaces the non-enforcing warning with frame dropping logic that prevents processing when the firmware returns an invalid key index.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates from stable branches when available
• Monitor NVD for CVSS scoring once analysis completes
• Review b43 driver configurations on systems using Broadcom 43xx wireless hardware
• Validate that production kernel builds do not disable WARN_ON enforcement macros

Evidence notes

CVE published 2026-05-28. Linux kernel stable branch commits provided as references. No CVSS score or severity assigned by NVD at time of disclosure (status: Awaiting Analysis). No KEV listing.

Official resources