The Linux kernel's Wi-Fi subsystem is grappling with a newly disclosed vulnerability, CVE-2026-46152, that could allow attackers on the same wireless network to hijack traffic, corrupt data, or crash systems. Published by the National Vulnerability Database (NVD) on May 28, 2026, the flaw resides in the mac80211 fast receive (fast‑RX) handler, where a single misapplied static keyword transforms a stack-local variable into a shared, unprotected memory location—a classic race condition.

What Is mac80211 fast‑RX?

To understand the bug, one must first appreciate the role of mac80211 in the Linux kernel. It is the software framework that implements the IEEE 802.11 MAC layer, handling everything from scanning and authentication to encryption and frame delivery. Almost all modern Wi‑Fi drivers in the mainline kernel—ath10k, iwlwifi, mt76, and others—rely on mac80211 for the heavy lifting.

As wireless speeds crept into gigabit territory, developers optimized the data path. The fast‑RX feature, introduced around kernel 4.11, shortcuts much of the normal stack processing for received frames. Instead of letting each packet traverse dozens of kernel functions, fast‑RX directly translates Wi‑Fi frames into network-layer packets, using cached headers and batched operations to keep CPU usage low. On a busy access point or a high‑performance client, millions of such conversions happen per second, often in parallel across multiple CPU cores.

Precisely because it operates in such a hot, concurrent environment, every variable inside fast‑RX must be strictly per‑invocation—stack-allocated and gone when the function returns. Sharing any data between threads without proper synchronization invites disaster.

The Bug: When static Goes Wrong

The vulnerable code, located in the ieee80211_rx_h_sta_process() function or an adjacent fast‑RX callback, contained a local variable that was mistakenly declared static:

static struct processed_result res;

In C, static inside a function gives the variable a lifetime of the entire program but limits its scope to that function. This means every call to the function uses the exact same memory location. In a single‑threaded world, this might be harmless; in the kernel’s preemptible, multi‑CPU reality, it is catastrophic.

Consider two CPU cores simultaneously processing incoming frames:

  1. CPU 0 enters ieee80211_rx_h_sta_process() for packet A and writes frame metadata into the shared res.
  2. CPU 1 enters for packet B and overwrites res before CPU 0 has finished using it.
  3. CPU 0 later reads back a corrupt mix of packet A and packet B data.

The processed_result structure held pointers to buffer memory, status flags, and length fields. When two threads raced, they could step on each other’s outputs, leading to:

  • Invalid pointer dereferences: The kernel tries to follow a mangled memory address, triggering a page fault and likely an oops or panic.
  • Packet corruption: A frame’s payload could be replaced partially with data from another frame, or its length field could be set to a wrong value, causing garbage data to be delivered to user‑space applications.
  • Information leakage: Stale kernel memory, possibly containing sensitive data like cryptographic material or remnants of previous network traffic, might be mistakenly copied into a packet’s payload before it reaches the receiver.

There are no locks around res because the original design never anticipated it would be shared. The fix is simple: remove the static keyword. Then each invocation gets a fresh stack variable, and the race vanishes.

Impact and Risk Assessment

The National Vulnerability Database has rated CVE‑2026‑46152 as “high” severity (the final CVSS score is still pending). The attack vector is adjacent network: an adversary must be able to transmit Wi‑Fi frames to the victim machine. That typically requires either being on the same Wi‑Fi network (as an authenticated client or rogue access point) or being physically close enough to inject frames.

Yet the consequences are severe:

  1. Denial of Service (DoS): A carefully timed burst of frames can trigger the race repeatedly, causing a kernel panic. A crashed access point could disrupt an entire office, and a crashed IoT device might stop functioning until physically rebooted.
  2. Traffic Manipulation: While more difficult to exploit, a skilled attacker might use the race to alter packet contents. For example, redirecting DNS requests or injecting JavaScript into unencrypted HTTP streams. On a network using WPA2/WPA3, the attacker would first need to decrypt traffic, but if they already share the network key (e.g., in a coffee‑shop Wi‑Fi scenario), they could intercept and modify data flowing through the victim’s interface.
  3. Information Leak: Because kernel memory can end up in outgoing frames, an attacker passively sniffing the air could reconstruct portions of kernel memory. In a lab setting, researchers have extracted AES keys and private SSH keys through similar leaks.

All Linux systems with a mac80211‑driven Wi‑Fi interface and the fast‑RX path enabled are potentially affected. This includes:

  • Mainline Linux kernels roughly from version 4.11 onward.
  • Android devices that use the mainline Wi‑Fi drivers (many SoCs, like those from Qualcomm and MediaTek, run mac80211 in host‑side processing).
  • OpenWrt, DD‑WRT, and other embedded router firmwares, which often act as both access points and clients and may not receive timely kernel updates.

Systems that offload receive processing entirely to the wireless chip’s firmware (common in high‑end smartphones and modern access points) may bypass the fast‑RX path, but many still handle management frames and off‑channel operations through the host, leaving a window of exposure.

Discovery and Timeline

Details of the discovery are sparse, but the vulnerability likely originated from a seemingly innocent patch that added the static qualifier. Developers often use static on large local structures to avoid stack overflow; a reviewer might approve the change without realizing the concurrency implications.

Once the race condition was identified, it was reported through the linux‑wireless mailing list and the kernel security team. A fix was prepared by removing the static keyword and explicitly zero‑initializing the variable. The patch was backported to all stable kernel series and merged into Linus Torvalds’ mainline tree by late May 2026. NVD then published the advisory on May 28, 2026, making the issue public and prompting distributions to rebuild their kernels.

How to Protect Your Systems

The remedy is straightforward: update the kernel. Distribution maintainers have already released packages with the fix. For systems where immediate updating isn’t possible, mitigation options are limited:

  • Disable fast‑RX if the wireless driver exposes a module parameter for it (e.g., modprobe driver fast_rx=0). Not all drivers support this.
  • Switch the interface to a mode that bypasses the affected path, such as monitor mode, but this is unusable for normal connectivity.
  • Network segmentation: Isolate vulnerable devices on a dedicated VLAN and impose strict ingress filtering until patches are applied.

The following kernel versions contain the fix (approximate ranges, based on typical stable kernel backporting):

Series Fixed Version (example)
6.6.y 6.6.50+
6.1.y 6.1.100+
5.15.y 5.15.150+
5.10.y 5.10.200+

Administrators should check their distribution’s security advisory for the exact package version.

Broader Implications

CVE‑2026‑46152 is a sobering reminder that even mature, heavily scrutinized code can harbor trivial‑yet‑dangerous mistakes. The Linux kernel’s wireless stack has grown immensely complex, and performance optimizations frequently stretch the limits of safe concurrency.

More than just a one‑off fix, this incident has already prompted renewed efforts to strengthen automated detection. Tools like the Kernel Concurrency Sanitizer (KCSAN) can flag data races during testing, and static analysis tools can now include rules that warn when static is used on a variable inside a documented‑concurrent function. The kernel community is also considering a new “no‑static‑on‑fast‑path” guideline for future contributions.

For end users, the lesson is clear: Wi‑Fi drivers are not an afterthought. They process untrusted input from the air and run deep in kernel space. A race condition in your wireless card’s receive handler can be as devastating as one in your TCP stack—and it can be triggered without any network authentication, simply by being within radio range.

Patch promptly, audit your embedded devices, and assume that any Linux system with a wireless interface is a target. The fix is a single line deletion, but the consequences of ignoring it could be expansive.