CVE-2026-46307
Received Received - Intake
Array Index Out of Bounds in Linux Kernel ath5k Driver

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0 It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus. Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES). Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-46307
EUVD
EUVD-2026-35172
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel ath5k *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an array-index-out-of-bounds (OOB) access in the Linux kernel's ath5k wireless driver. Specifically, the driver attempts to access an element beyond the bounds of an array defined to hold four transmission rates, but the code tries to access the fifth element (index 4), which does not exist.

The issue arises because the code sets a sentinel value (idx = -1) at an array index that can be equal to the array size, which is invalid. This causes an out-of-bounds write that overwrites the next member in the data structure, ack_signal.

The vulnerability was detected by the UBSAN (Undefined Behavior Sanitizer) tool, which flagged the out-of-bounds access during runtime.

Impact Analysis

The impact of this out-of-bounds write is considered negligible because it only overwrites the adjacent member (ack_signal) in the status structure.

Since the overwritten data is not critical and the array access is limited to a small, specific part of the wireless driver, the vulnerability is unlikely to cause significant harm such as system crashes or privilege escalation.

Detection Guidance

This vulnerability can be detected by monitoring kernel messages for UBSAN (Undefined Behavior Sanitizer) warnings related to array-index-out-of-bounds in the ath5k driver.

Specifically, look for messages similar to: "UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c" indicating an out-of-range index access.

You can use the following command to check the kernel log for such messages:

  • dmesg | grep -i ubsan
  • journalctl -k | grep -i ubsan

These commands will help identify if the kernel has logged any out-of-bounds array access related to the ath5k wireless driver.

Mitigation Strategies

The vulnerability involves an out-of-bounds array access in the ath5k wireless driver in the Linux kernel.

Immediate mitigation steps include updating the Linux kernel to a version where this issue has been resolved.

Since the effect of the out-of-bounds write is negligible and only overwrites the next member of the status structure, the primary fix is to ensure the kernel source code includes the proper boundary check before writing to the array.

If updating the kernel is not immediately possible, consider disabling the ath5k wireless driver temporarily to prevent triggering the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart