CVE-2026-46152: wifi: mac80211: drop stray 'static' from fast-RX rx_result
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: drop stray 'static' from fast-RX rx_result
ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
its per-invocation rx_result is declared static. Concurrent callers then
share one instance and can overwrite each other's result between
ieee80211_rx_mesh_data() and the switch on res.
That can make a packet that was queued or consumed by
ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
a packet that should continue return as queued.
Make res an automatic variable so each invocation keeps its own result.
Security readout for executives and security teams
Plain-English summary
A Linux Wi-Fi kernel bug can mishandle packets during parallel receive processing. The published CVSS score is high, with adjacent-network attack scope and potential confidentiality, integrity, and availability impact. The evidence points to affected Linux kernels and mac80211 Wi-Fi paths, not a broad internet-facing service issue.
Executive priority
Treat as a high-priority kernel update for wireless-capable Linux assets, especially operational devices using Wi-Fi. It is not evidenced as actively exploited, but the CVSS impact is high and remediation is kernel-level.
Technical view
mac80211 fast-RX used a static rx_result where a per-call variable was expected. Concurrent RX callers could overwrite the shared result after ieee80211_rx_mesh_data(), causing packets to continue into ieee80211_rx_8023() incorrectly or return as queued when they should continue. Upstream stable commits change the result variable to automatic storage.
Likely exposure
Likely exposure is Linux systems running affected kernels with Wi-Fi/mac80211 receive paths in use. The CVSS vector is AV:A, so the modeled attacker is adjacent, not remote over the internet. Product-specific exposure should be confirmed against vendor advisories.
Exploitation context
The bundle does not cite active exploitation, and KEV is false. The described condition is a concurrency race in Wi-Fi receive handling. Public sources provided do not include exploit details or proof-of-concept status.
Researcher notes
Evidence is strong for the root cause and fix direction from kernel commit references. The bundle does not provide exploitability detail beyond the CVSS vector or confirm which distributions are affected outside listed Linux and Red Hat references.
Mitigation direction
Apply vendor kernel updates that include the referenced upstream stable fixes.
For Red Hat systems, review the listed RHSA advisories for applicable packages.
Track distribution advisories for backported fixes matching CVE-2026-46152.
Where patching is delayed, reduce reliance on affected Wi-Fi paths where operationally feasible.
Validation and detection
Inventory Linux kernel versions on systems using Wi-Fi interfaces.
Check vendor package advisories for CVE-2026-46152 applicability and fixed builds.
Confirm deployed kernels include the stable fix commits or vendor backports.
Prioritize devices using wireless mesh or mac80211-based Wi-Fi receive paths.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1058: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
1ADP providers
15Source links
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1058 · source CWE mapping
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.