A critical buffer overflow in the Linux kernel wl1251 Wi-Fi driver could allow attackers to trigger memory corruption via malicious firmware communication.

This is a buffer overflow vulnerability in the wl1251_tx_packet_cb() function. The driver uses a completion ID provided by the firmware as an index for the wl->tx_frames[] array without verifying if the ID exceeds the array's bounds.

An attacker capable of influencing the firmware or intercepting the firmware-host communication could trigger this memory corruption, leading to system crashes or arbitrary code execution. Given the CVSS score of 8.8, this represents a significant threat to systems using the affected hardware, particularly in embedded or IoT environments.

Immediate Action: Apply vendor security updates as they become available. If no patch is currently available for your specific distribution, consider disabling the wl1251 driver if not strictly required.

Proactive Monitoring: Monitor system logs for driver-level errors or unexpected crashes related to Wi-Fi transmission completions.

Compensating Controls: Implement network-level security to prevent untrusted devices from interacting with the host's wireless firmware management interface.

Public Exploit Available: false

This vulnerability highlights the risk of trusting firmware-supplied indices in kernel drivers. Organizations should prioritize updating kernel packages and, where possible, restrict wireless device access to mitigate the risk of malicious firmware-based exploitation.