CVE-2026-43113

wifi: wl1251: validate packet IDs before indexing tx_frames

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index
the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
completion block, and the callback does not currently verify that it
fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the
existing NULL check in the same guard. This keeps the fix local to the
trust boundary and avoids touching the rest of the completion flow.

*Credits: N/A

CVSS Scores

kernel.orgv3.1 8.8

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2026-05-01 CVE Reserved
2026-05-06 CVE Published
2026-05-11 CVE Updated
2026-05-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/2f01a1f58889fbfeb68b1bc1b52e4197f3333490	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b6ba1eacf276063ebeefbbae8056043c24f2efaf	2026-04-27
https://git.kernel.org/stable/c/df15adc692a802636dd3f258fc7cca8bf7a0ed9a	2026-04-22
https://git.kernel.org/stable/c/8d7465be5163a923ee5d7459719ef5a021c1584a	2026-04-22
https://git.kernel.org/stable/c/26ee518695c484f75e3606d631278e84bd24ae02	2026-04-22
https://git.kernel.org/stable/c/0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0	2026-03-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.6.136 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.6.136"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.12.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.12.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.18.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.18.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.19.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.19.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 7.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 7.0"		en		Affected