CVE-2026-46152
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel's mac80211 Fast-RX Mechanism

Publication date: 2026-05-28

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-09
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46152
EUVD
EUVD-2026-32779
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.7 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.4 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's wifi mac80211 component. The function ieee80211_invoke_fast_rx() is intended to be safe for parallel reception (RX) of packets, but it uses a static variable for its per-invocation result (rx_result). Because this variable is static, concurrent calls to the function share the same instance, which can cause them to overwrite each other's results.

As a result, packets that were queued or consumed by one part of the code (ieee80211_rx_mesh_data()) might incorrectly fall through to another handler (ieee80211_rx_8023()), or packets that should continue processing might be incorrectly marked as queued. The fix was to change the static variable to an automatic variable so that each function call maintains its own independent result.

Impact Analysis

This vulnerability can cause incorrect handling of wifi packets in the Linux kernel. Specifically, packets may be misrouted or improperly processed due to concurrent calls overwriting shared state. This could lead to network instability, packet loss, or unexpected behavior in wireless communications.

Mitigation Strategies

The vulnerability has been resolved by modifying the Linux kernel code to make the variable 'res' an automatic variable instead of static in the ieee80211_invoke_fast_rx() function. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46152. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart