CVE-2026-46163 Linux CVE debrief

Who should care

Organizations running Linux systems with legacy Broadcom wireless hardware (BCM4301, BCM4303, BCM4306, BCM4309, BCM4311, BCM4318) using the b43legacy driver; embedded/IoT devices with these chipsets; Linux distribution maintainers packaging kernel updates

Technical summary

The b43legacy wireless driver for legacy Broadcom chipsets contains a validation gap in its receive path. Frame metadata from firmware includes a key index field used to select encryption keys from dev->key[]. The existing B43legacy_WARN_ON() macro logs out-of-bounds conditions but does not prevent memory access in production builds where WARN_ON is non-fatal. An attacker able to influence firmware behavior or craft malicious frames could supply an index exceeding dev->max_nr_keys, resulting in out-of-bounds kernel memory reads. The resolution replaces the non-enforcing warning with an explicit bounds validation that drops frames carrying invalid key indices, matching the defensive pattern previously applied to the b43 driver.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the b43legacy bounds check fix when available from your Linux distribution
• Monitor stable kernel branches for backported fixes if running long-term support kernels
• Consider disabling b43legacy hardware if patches are unavailable and the threat model includes local network attackers
• Review systems using Broadcom BCM4301/4303/4306/4309/4311/4318 wireless chipsets which utilize the b43legacy driver

Evidence notes

Vulnerability description confirms the issue exists in the RX path of the b43legacy WiFi driver. The fix pattern mirrors a prior correction in the related b43 driver. Multiple stable kernel branches received backports as evidenced by separate git.kernel.org stable commits.

Official resources