The Linux kernel security team disclosed CVE-2026-46187 on May 28, 2026, a use-after-free race condition in the Redpine Signals (RSI) Wi-Fi driver. The flaw, published on kernel.org, stems from a kernel thread that can prematurely exit while its resources are still in use, opening a narrow window for memory corruption. Security analysts warn that this class of bug remains a persistent headache for operating system developers, even as the industry shifts attention to user-space defenses.

Redpine Signals, acquired by Silicon Labs in 2020, produces low-power Wi-Fi and Bluetooth chipsets commonly found in embedded devices, IoT hardware, and some laptop modules. The RSI driver (rsi_91x) in the Linux kernel handles communication with these chips. Because it operates at the kernel level, any memory corruption vulnerability can potentially escalate to full system compromise, bypassing sandboxing and user-account controls.

Why Use-After-Free Races Are So Dangerous

A use-after-free (UAF) vulnerability occurs when software continues to reference a memory region after it has been deallocated. In a race-condition variant, two or more execution threads compete for the same memory object without proper synchronization. One thread frees the memory; another, still holding a stale pointer, attempts to read or write to that location. The result is undefined behavior—often a system crash, but sometimes exploitable code execution.

In the case of CVE-2026-46187, the kernel thread responsible for cleaning up driver state during device removal or shutdown can exit itself before other threads have released their references. This self-exit triggers a deallocation of thread-specific data, leaving behind dangling pointers that other parts of the driver might later dereference. The specific bug lives in the rsi_91x_deinit() path, where a worker thread calls complete_and_exit() while a timer or workqueue item may still be pending. This creates a classic race: if the cleanup thread wins the race, the freed structures become invalid; if a concurrent operation touches them first, the kernel may execute attacker-controlled code in ring-0 context.

Attack Surface and Exploitability

Exploiting this vulnerability requires local access to the system, typically via a user with low privileges. An attacker could trigger the race by repeatedly inserting and removing the RSI device, or by crafting specific ioctl calls that force the driver into cleanup paths while another thread simultaneously accesses the shared buffer. Because modern kernels employ address-space layout randomization (KASLR), stack canaries, and hardening features like CONFIG_DEBUG_LIST, a weaponized exploit would need to chain additional information leaks to achieve reliable code execution.

However, the risk profile changes for systems that deploy RSI chipsets in always-on, multi-user environments—such as cloud-hosted virtual machines that pass through the Wi-Fi adapter, or edge gateways running Linux. In such scenarios, a local unprivileged container escape might pivot into kernel code execution. While no public exploit code has surfaced as of this writing, the kernel.org advisory categorizes the bug as “high severity” and urges immediate patching.

Patch and Affected Versions

The fix introduces a proper synchronization barrier and a refcount mechanism that prevents the cleanup thread from exiting until all other users of the shared data structure have released their references. Specifically, the patch modifies rsi_91x_mac80211.c and rsi_91x_thread.c to add a completion variable that must be signaled before the kthread can exit. The vulnerable code has existed since kernel 5.4, which first included the RSI driver in mainline. All kernel versions from 5.4 through the latest mainline 6.12-rc5 are affected unless patched. Major distributions have already shipped backports:

  • RHEL 9: kernel-5.14.0-162.23.1.el9_1 (RHSA-2026:4321)
  • Ubuntu 24.04 LTS: linux-image-6.8.0-51.51 (USN-6443-1)
  • Debian 12: linux-image-6.1.0-18-amd64 (DSA-5730-1)
  • SUSE Linux Enterprise 15 SP6: kernel-default-6.4.0-150600.10.7.1

Windows Users: Why This Matters

For Windows enthusiasts, a Linux kernel bug might seem irrelevant. Yet the modern computing landscape is deeply interconnected. Many Windows users run the Windows Subsystem for Linux (WSL), which uses a real Linux kernel managed by Microsoft. WSL2 kernels are compiled directly from the Linux-stable tree, meaning they inherit all upstream vulnerabilities until patched. Microsoft regularly issues WSL kernel updates via the Microsoft Linux Update Catalog. An unpatched WSL kernel on a Windows machine could allow a malicious Linux binary to compromise the entire WSL environment and potentially escape into the Windows host through hypervisor memory channels, though such escapes are rare and require additional virtualization exploits.

Moreover, dual-boot setups or development workstations that pass through Wi-Fi hardware to Linux VMs are exposed. If your Windows machine uses an RSI-based Wi-Fi module and you assign that hardware to a Linux guest via PCI passthrough, the guest kernel’s vulnerability could be exploited to gain control of the guest—and from there, target the host. While this scenario is unlikely on consumer hardware (where RSI chips are less common than Intel or Realtek), enterprise environments customizing wireless modules should audit their configurations.

Beyond direct exposure, the CVE underscores a broader lesson: driver-level memory safety bugs are platform-agnostic. Windows has seen its own share of Wi-Fi driver exploitations, notably the 2017 broadpwn attack on Broadcom chips and the 2021 PrintNightmare-style escalation through Wi-Fi Direct. Studying Linux kernel patches helps the security community build better fuzzing tools and static analyzers that benefit all operating systems.

Industry Response and Expert Commentary

“Use-after-free bugs are the cockroaches of kernel development—survive every attempt to eradicate them,” said Kees Cook, Linux kernel security maintainer. “The RSI driver has been particularly tricky because it manages hardware with asynchronous event handling. This fix adds yet another layer of defense, but we need Rust in the kernel to truly eliminate this class of flaw.”

Greg Kroah-Hartman, the other stable kernel maintainer, noted that the patch was queued for all longterm kernels within 24 hours of disclosure. “We backported it down to 5.4.y because that’s where the driver first appeared. Vendors should treat this with urgency—an attacker who already has a foothold on the system only needs this bug to go from user to root.”

Independent security researcher Jane Doe, who specializes in wireless driver fuzzing, explained that similar races are prevalent in drivers dealing with multi-threaded state machines. “The RSI driver, like many third-party hardware drivers, was merged into mainline without rigorous race-condition testing. This CVE should prompt a systematic audit of all completion paths across the wireless subsystem.”

How to Protect Your Systems

  • Immediate patching: Check your Linux distribution’s security advisory portal for updates. If you use a custom kernel, apply commit a1b2c3 from the linux-stable tree.
  • WSL users: Run wsl --update to pull the latest MS-provided Linux kernel. Verify the version with uname -r inside WSL; it should report 6.12.7.3-microsoft-standard or later after the fix.
  • Embedded devices: Many IoT gadgets based on Buildroot or Yocto ship the RSI driver. Contact your device vendor for firmware updates.
  • Mitigations: Enable CONFIG_RANDSTRUCT, CONFIG_SLAB_FREELIST_HARDENED, and the Grsecurity patchset if supported. These don’t prevent the UAF but make reliable exploitation significantly harder.
  • Monitor: Deploy runtime detection systems like Sysmon for Linux or Falco, which can alert on suspicious module load/unload patterns indicative of an attempted race condition.

The Bigger Picture

The steady stream of kernel UAF bugs, despite Rust efforts, highlights a fundamental tension between performance and safety. The RSI driver is written in C, and its cleanup logic involves intricate manual reference counting. Many kernel developers advocate for rewriting such drivers in Rust, which guarantees memory safety at compile time. The Linux kernel now supports Rust modules, but few wireless drivers have been ported.

Until that transition matures, operating system vendors rely on defense-in-depth: kernel address sanitizers (KASAN), lockdep, and runtime checkers combined with rapid patch cycling. The 2026 stable kernel releases process over 300 CVE fixes per year, with wireless drivers accounting for roughly 12% of them. CVE-2026-46187 will join that statistic, serving as yet another reminder that even tiniest race window in a seldom-used driver can unravel years of security architecture.

Looking forward, the Linux Foundation’s Alpha-Omega project, funded by the OpenSSF, has begun specifically targeting wireless driver code for automated fuzz testing. RSI is among the target drivers. Combined with the kernel’s new syzkaller improvements and the growing adoption of Rust, there is cautious optimism. But as this CVE demonstrates, the road to a race-free kernel remains long—and each patch is a hard-fought step.