CVE-2026-43110

high

Published 2026-05-06 · Modified 2026-06-01

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.8

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.8

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix]

Predictions

Exploit likelihood

82%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description kernel: wifi: brcmfmac: validate bsscfg indices in IF events Red Hat statement brcmfmac IF event handling validates the firmware provided ifidx but still uses the raw bsscfgidx value as an index into the driver iflist array. A malformed firmware IF event with an out of range bsscfgidx can cause an out of bounds pointer read and may lead to an invalid pointer dereference or broader…

Description

kernel: wifi: brcmfmac: validate bsscfg indices in IF events

Red Hat statement

brcmfmac IF event handling validates the firmware provided ifidx but still uses the raw bsscfgidx value as an index into the driver iflist array. A malformed firmware IF event with an out of range bsscfgidx can cause an out of bounds pointer read and may lead to an invalid pointer dereference or broader memory corruption depending on how the resulting ifp is used. For the CVSS the PR:N is used in the paranoid score because a practical attacker model may involve adjacent Wi-Fi influence over FullMAC firmware events rather than a local privileged user on the host. The issue is not reachable over a normal routed IP network. It is adjacent network or device firmware mediated. Impact is at least denial of service through a kernel crash or Wi-Fi driver failure. In the paranoid case, the unchecked firmware controlled array index potentially could lead to possible confidentiality and integrity impact (but primarily only Availability impact).

CVSS v3: 7.5 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Package state

Product	Package	State
Red Hat Enterprise Linux 10	`kernel`	Affected
Red Hat Enterprise Linux 6	`kernel`	Not affected
Red Hat Enterprise Linux 7	`kernel`	Affected
Red Hat Enterprise Linux 7	`kernel-rt`	Affected
Red Hat Enterprise Linux 8	`kernel`	Affected
Red Hat Enterprise Linux 8	`kernel-rt`	Affected
Red Hat Enterprise Linux 9	`kernel`	Affected
Red Hat Enterprise Linux 9	`kernel-rt`	Affected

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 6	`Not affected`
redhat	Red Hat Enterprise Linux 7	`Affected`
redhat	Red Hat Enterprise Linux 7	`Affected`
redhat	Red Hat Enterprise Linux 8	`Affected`
redhat	Red Hat Enterprise Linux 8	`Affected`
redhat	Red Hat Enterprise Linux 9	`Affected`
redhat	Red Hat Enterprise Linux 9	`Affected`

OS impact

Linux kernel Affected 2 releases

Version	Status	Fixed in
7.0	Affected	—
—	Affected	`6.6.136`

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`6.12.85-1`
sid	Fixed	`6.19.14-1`
forky	Fixed	`6.19.14-1`
bullseye	Affected	—
bookworm	Affected	—

Red Hat Fixed 1 release

Version	Status	Fixed in
9	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.