Описание
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: validate bsscfg indices in IF events
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
[add missing wifi prefix]
A flaw was found in the Linux kernel's brcmfmac Wi-Fi driver. This vulnerability occurs because the driver fails to properly validate bsscfg indices in interface (IF) events. An attacker could exploit this by sending a specially crafted IF event with an invalid bsscfg index, which could lead to an out-of-bounds write or read, potentially causing a system crash and resulting in a denial of service (DoS).
Отчет
brcmfmac IF event handling validates the firmware provided ifidx but still uses the raw bsscfgidx value as an index into the driver iflist array. A malformed firmware IF event with an out of range bsscfgidx can cause an out of bounds pointer read and may lead to an invalid pointer dereference or broader memory corruption depending on how the resulting ifp is used. For the CVSS the PR:N is used in the paranoid score because a practical attacker model may involve adjacent Wi-Fi influence over FullMAC firmware events rather than a local privileged user on the host. The issue is not reachable over a normal routed IP network. It is adjacent network or device firmware mediated. Impact is at least denial of service through a kernel crash or Wi-Fi driver failure. In the paranoid case, the unchecked firmware controlled array index potentially could lead to possible confidentiality and integrity impact (but primarily only Availability impact).
Меры по смягчению последствий
To mitigate this issue, prevent module brcmfmac from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2026:21557 | 28.05.2026 |
| Red Hat Enterprise Linux 10.0 Extended Update Support | kernel | Fixed | RHSA-2026:24343 | 08.06.2026 |
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2026:26428 | 16.06.2026 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2026:26427 | 16.06.2026 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | kernel | Fixed | RHSA-2026:26535 | 17.06.2026 |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | kernel | Fixed | RHSA-2026:26535 | 17.06.2026 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix]
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix]
In the Linux kernel, the following vulnerability has been resolved: w ...
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix]
7.5 High
CVSS3