{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-06T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: wifi: brcmfmac: validate bsscfg indices in IF events",
    "id" : "2467014",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467014"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1285",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: brcmfmac: validate bsscfg indices in IF events\nbrcmf_fweh_handle_if_event() validates the firmware-provided interface\nindex before it touches drvr->iflist[], but it still uses the raw\nbsscfgidx field as an array index without a matching range check.\nReject IF events whose bsscfg index does not fit in drvr->iflist[]\nbefore indexing the interface array.\n[add missing wifi prefix]", "A flaw was found in the Linux kernel's brcmfmac Wi-Fi driver. This vulnerability occurs because the driver fails to properly validate bsscfg indices in interface (IF) events. An attacker could exploit this by sending a specially crafted IF event with an invalid bsscfg index, which could lead to an out-of-bounds write or read, potentially causing a system crash and resulting in a denial of service (DoS)." ],
  "statement" : "brcmfmac IF event handling validates the firmware provided ifidx but still uses the raw bsscfgidx value as an index into the driver iflist array. A malformed firmware IF event with an out of range bsscfgidx can cause an out of bounds pointer read and may lead to an invalid pointer dereference or broader memory corruption depending on how the resulting ifp is used. For the CVSS the PR:N is used in the paranoid score because a practical attacker model may involve adjacent Wi-Fi influence over FullMAC firmware events rather than a local privileged user on the host. The issue is not reachable over a normal routed IP network. It is adjacent network or device firmware mediated. Impact is at least denial of service through a kernel crash or Wi-Fi driver failure. In the paranoid case, the unchecked firmware controlled array index potentially could lead to possible confidentiality and integrity impact (but primarily only Availability impact).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21557",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "kernel-0:6.12.0-211.18.1.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24343",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.77.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27729",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "kernel-0:3.10.0-1160.153.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26428",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.134.1.rt7.475.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26427",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.134.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26535",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.194.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26535",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.194.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-06-12T00:00:00Z",
    "advisory" : "RHSA-2026:25533",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.195.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-06-12T00:00:00Z",
    "advisory" : "RHSA-2026:25533",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.6",
    "package" : "kernel-0:4.18.0-372.195.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26563",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.147.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26563",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.147.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21556",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.12.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21556",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-687.12.1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26462",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.176.1.rt14.461.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions",
    "release_date" : "2026-06-04T00:00:00Z",
    "advisory" : "RHSA-2026:23237",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.4",
    "package" : "kernel-0:5.14.0-427.129.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-06-11T00:00:00Z",
    "advisory" : "RHSA-2026:25218",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.120.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43110\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43110\nhttps://lore.kernel.org/linux-cve-announce/2026050624-CVE-2026-43110-7309@gregkh/T" ],
  "name" : "CVE-2026-43110",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module brcmfmac from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}