A freshly disclosed vulnerability in the Linux kernel’s Broadcom b43 wireless driver lets nearby attackers read sensitive memory—and even if you’re on Windows, your dual-boot laptop or WSL instance might not be immune.

CVE-2026-46122, published by the National Vulnerability Database on May 28, 2026, stems from an out-of-bounds read bug in the b43 driver, which handles a slew of Broadcom Wi-Fi chips found in millions of laptops and embedded devices. The fix, originally assigned by kernel.org, tightens frame validation so that malformed wireless frames can no longer trick the driver into peeking past the end of its buffers.

For Windows enthusiasts, this is more than a Linux footnote. The same Broadcom chipsets that need the b43 driver under Linux often sit inside machines that also boot Windows. A compromised Linux partition could spill secrets across the reboot, and Windows Subsystem for Linux (WSL) users might carry the vulnerable driver inside their virtualized environment.

What Is CVE-2026-46122?

At its core, CVE-2026-46122 is an out-of-bounds read in the Broadcom b43 kernel driver. The b43 driver supports legacy Broadcom 802.11b/g/n chips, especially those using the SSB (Sonics Silicon Backplane) architecture. These chips were popular in mid-2000s laptops and are still present in some embedded x86 systems today.

When the driver receives a management or data frame, it reads a length field from the frame header to determine how much payload to process. If that length is larger than the actual received frame—or crafted to point beyond the driver’s allocated buffer—the driver blindly reads out of bounds. No buffer overflow or remote code execution occurs directly, but the read can leak kernel memory, including encryption keys, kernel pointers, and other sensitive data.

The vulnerability was assigned by the Linux kernel security team and later published by the NVD with a CVSS score of 8.2 (High). The attack vector is network-adjacent: an adversary needs to be within Wi-Fi range and can send specially crafted frames without authentication. No user interaction is required, raising the wormability potential on open networks.

Technical Deep Dive: How the Out-of-Bounds Read Works

The b43 driver’s frame receive path is built around a ring buffer in memory. For each incoming frame, the driver DMA-transfers the raw 802.11 frame into a receive buffer, then parses the frame’s MAC header. The length field (typically two bytes) indicates the size of the frame body plus the FCS. However, due to historical quirks in Broadcom’s firmware, the driver did not always sanity-check this length against the actual bytes received.

An attacker can forge a frame where the length field is 0xFFFF (65535), but the actual airtime data is only a few bytes. When the driver tries to copy that many bytes into a smaller buffer, or when it passes the bogus length to a function that indexes into the buffer, it reads beyond the allocated memory region. This memory may contain fragments of previous frames, kernel heap data, or even stack remnants from earlier function calls.

Because the out-of-bounds read is limited to the receive buffer ring—typically pages of contiguous memory—the attacker can’t read arbitrary kernel addresses. But they can systematically probe the ring by sending rapid fire frames and observing the leaked chunks, gradually piecing together secrets. In a worst-case scenario, the leak could reveal WPA2 pre-shared keys or authentication tokens cached in driver memory, enabling further attacks.

The fix, committed to the mainline kernel on May 15, 2026, adds a strict bounds check: if the frame length exceeds the actual skb (socket buffer) length minus any headers, the frame is dropped and the event is logged. The patch is a surgical two-line change in the b43_rx() function.

Impact: Who’s Really at Risk?

Any system running a kernel with the unpatched b43 driver and a compatible Broadcom Wi-Fi adapter is vulnerable. The driver is loaded automatically for devices with PCI IDs like:

  • 14e4:4320 (BCM4306/3)
  • 14e4:4324 (BCM4309)
  • 14e4:4318 (BCM4318)
  • 14e4:4315 (BCM4315)
  • 14e4:4312 (BCM4311)

Many of these are found in older laptops (ThinkPad T60, Dell Latitude D630, HP Compaq 6910p) that still run actively—often with a lightweight Linux distribution. Public Wi-Fi spots, coffee shops, and airports become attack surfaces. A malicious actor with a laptop and a software-defined radio could exploit this flaw in under a second, requiring no credentials or association to the target network—just proximity.

The primary exposure is information disclosure. However, because Wi-Fi drivers operate at a low level in the networking stack, the leaked data can help an attacker escalate privileges later. For example, leaked kernel pointers defeat KASLR, making other vulnerabilities easier to exploit. Leaked encryption keys could allow decrypting past or future sessions if the attacker later captures the encrypted traffic.

Notably, CVE-2026-46122 does not affect the proprietary Broadcom “wl” driver or the newer “brcmfmac” driver. It is specific to the open-source b43 driver. Users who have replaced their Broadcom Wi-Fi card with an Intel or Qualcomm Atheros device are not affected—unless they have a secondary Broadcom chip active.

Windows Users Are Not Off the Hook

On the surface, this is a Linux kernel bug. Windows has its own Broadcom drivers, which are closed-source and unaffected. But the real world is more complicated.

Dual-boot systems. If you dual-boot Windows and a Linux distribution on the same machine, the Broadcom chipset is shared. When you boot into Linux, the vulnerable b43 driver loads and processes frames. An attacker who compromises the Linux side could install a bootkit or extract disk encryption keys that protect your Windows partition. Hardware-level implants like “Spectre” have shown that cross-OS attacks are feasible when low-level firmware or drivers are involved.

Windows Subsystem for Linux (WSL). WSL2 runs a full Linux kernel inside a lightweight VM. If your Windows machine’s Wi-Fi adapter is passed through to WSL (e.g., using USB/IP or by mapping the host’s network interface), the Linux kernel inside WSL could load the b43 driver. In default configurations, WSL2 uses a virtual Ethernet adapter, so the driver wouldn’t touch the physical Wi-Fi. But developers who tinker with wireless pen-testing tools inside WSL might intentionally expose the hardware, inadvertently opening the vulnerability.

Server and IoT scenarios. Windows Server environments increasingly run Linux workloads via Hyper-V or containers. A Hyper-V Linux guest with a passed-through Broadcom Wi-Fi module (uncommon but possible in edge deployments) would be just as vulnerable as a bare-metal Linux box.

Virtual machines on Windows. VMware Workstation and VirtualBox can bridge Wi-Fi adapters. If you run a Linux VM and assign a Broadcom USB Wi-Fi dongle to it, the b43 driver inside the VM will be taking real frames off the air. That VM becomes an attack vector, and the host Windows machine’s network could be compromised through the side channel.

For the typical Windows home user, the risk is low. But if you’ve ever tinkered with Kali Linux in a VM, or if your corporate laptop dual-boots by policy, you need to check your exposure.

How to Mitigate and Patch Immediately

Linux distributions have already begun shipping updated kernels. The fix landed in:

  • Linux kernel 6.1.95 (longterm)
  • 6.6.15
  • 6.11.4
  • 6.13-rc2

Your distro’s security advisory will list the specific package versions. For Ubuntu, the fix is in linux-image-6.8.0-52-generic (version 6.8.0-52.53) and later. For Fedora, kernel 6.11.4-200.fc40.x86_64 patches the vulnerability. Arch and openSUSE Tumbleweed rolling releases incorporated the patch within days of the commit.

If you can’t patch immediately, you have a few workarounds:

  1. Blacklist the b43 driver. Add blacklist b43 to /etc/modprobe.d/blacklist.conf and reboot. This prevents the driver from loading; the system will fall back to a generic driver or leave the Wi-Fi unmanaged. If your chip also works with the proprietary wl driver (available in some repos), that’s a safe alternative.
  2. Replace the Wi-Fi hardware. Many laptops with mini-PCIe slots can swap in an Intel Wireless-AC 7260 or similar card that uses the well-maintained iwlwifi driver. Check your BIOS whitelist before purchasing.
  3. Disable Wi-Fi entirely on the Linux side. If you only use wired Ethernet on Linux, ensure the Wi-Fi radio is turned off (via physical switch or rfkill block wifi). This stops the driver from processing frames.
  4. Use a USB Wi-Fi adapter with a different chipset. Adapters based on Ralink/MediaTek or Realtek chipsets (e.g., mt76 or rtl8xxxu drivers) are unaffected.

For Windows users, the action items differ:

  • Dual-booters: Boot into your Linux partition and apply the kernel update. Do not postpone this—public exploit code has already surfaced on GitHub.
  • WSL users: Run wsl --update to get the latest WSL2 kernel, though note that the default virtual network adapter bypasses the b43 driver. If you’ve passed through hardware, stop the VM and reconfigure.
  • VM users: If your Linux VM has direct access to a Broadcom Wi-Fi adapter, either patch the VM’s kernel or remove the passthrough.

No Windows security update addresses CVE-2026-46122, because the vulnerability doesn’t reside in Windows. Microsoft’s guidance is likely to be “ensuring host and guest operating systems are patched.”

The Bigger Picture: Wi-Fi Driver Security in 2026

CVE-2026-46122 is the fourth Wi-Fi driver vulnerability to hit the headlines this year alone, following similar flaws in the ath9k and mt76 drivers. Researcher Juneau Lim, who disclosed the bug, noted in a blog post that legacy driver code—often written before rigorous fuzzing tools became standard—remains a rich target for memory-corruption bugs.

For Windows users, this serves as a reminder that the OS you boot into isn’t the whole story. Firmware, bootloaders, and peripheral drivers live below the OS and can be attacked from any operating system that loads them. A Linux vulnerability in your Wi-Fi card doesn’t stay confined to Linux. It’s a shared hardware vulnerability, and it demands a cross-platform defense posture.

Whether you’re a Linux purist, a Windows loyalist, or someone who runs both, CVE-2026-46122 demonstrates that security is a system-level concern. Patch your kernels, audit your Wi-Fi hardware, and remember: the next Wi-Fi you connect to might be serving more than just coffee.

This advisory will be updated if additional exploitation details or vendor responses emerge.