Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-06T00:00:00 kernel: wifi: wl1251: validate packet IDs before indexing tx_frames 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-1285

In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow.

A flaw was found in the `wl1251` Wi-Fi driver within the Linux kernel. The `wl1251_tx_packet_cb()` function processes firmware completion IDs without proper validation, allowing an attacker to use a crafted ID to access memory outside of allocated bounds. This out-of-bounds access could lead to memory corruption and potentially a denial of service.

Red Hat Enterprise Linux 10 Not affected kernel Red Hat Enterprise Linux 6 Out of support scope kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Not affected kernel Red Hat Enterprise Linux 8 Not affected kernel-rt Red Hat Enterprise Linux 9 Not affected kernel Red Hat Enterprise Linux 9 Not affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-43113 https://nvd.nist.gov/vuln/detail/CVE-2026-43113 https://lore.kernel.org/linux-cve-announce/2026050625-CVE-2026-43113-cc30@gregkh/T