CVE-2019-9500: Broadcom brcmfmac driver is vulnerable to a heap buffer overflow

Published Feb 19, 2019
·
Updated

If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmfwowlndresults() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out, although we believe it is unlikely.

Introduced in:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3021ad9a4f009265e6063e617fb91306980af16c

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b5e2423164b3670e8bc9174e4762d297990deff

External References:

https://kb.cert.org/vuls/id/166939/

https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html#cve-2019-9500-heap-buffer-overflow-in-brcmf-wowl-nd-results

https://www.bleepingcomputer.com/news/security/broadcom-wifi-driver-flaws-expose-computers-phones-iot-to-rce-attacks/

Other sources

If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmfwowlndresults() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out.

The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmfwowlndresults function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.

Affected Software

12 affected componentsFixes available
redhat/kernel-rt<0:3.10.0-1062.1.1.rt56.1024.el7
0:3.10.0-1062.1.1.rt56.1024.el7
redhat/kernel<0:3.10.0-1062.1.1.el7
0:3.10.0-1062.1.1.el7
redhat/kernel-alt<0:4.14.0-115.14.1.el7a
0:4.14.0-115.14.1.el7a
redhat/kernel<0:3.10.0-957.41.1.el7
0:3.10.0-957.41.1.el7
redhat/kernel-rt<0:4.18.0-80.11.1.rt9.156.el8_0
0:4.18.0-80.11.1.rt9.156.el8_0
redhat/kernel<0:4.18.0-80.11.1.el8_0
0:4.18.0-80.11.1.el8_0
Broadcom brcmfmac driver
Linux Linux kernel>=4.5<4.9.181
Linux Linux kernel>=4.10<4.14.123
Linux Linux kernel>=4.15<4.19.47
Linux Linux kernel>=4.20<5.0.20
debian/linux
5.10.223-15.10.257-16.1.170-36.1.174-16.12.86-16.12.90-27.0.10-17.0.12-1

Remediation

Patch Available

https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff

Information

https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff

Event History

Feb 19, 2019
CVE Published
12:00 AM
Apr 17, 2019
News Published
via BleepingComputer·08:43 PM
Apr 18, 2019
Data Sourced
via Red Hat·12:21 PM
DescriptionSeverityAffected Software
Jan 16, 2020
CVE Published
via MITRE·08:35 PM
Data Sourced
via MITRE·08:35 PM
RemedyDescriptionSeverityWeakness
Jan 11, 2024
Data Sourced
via Launchpad·11:33 PM
Description
Jan 19, 2024
News Published
via BleepingComputer·09:51 PM
Aug 30, 2025
Data Sourced
via Ubuntu·04:24 AM
RemedyDescriptionSeverityAffected Software
Jun 10, 2026
Data Sourced
via Debian·10:21 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2019-9500?

CVE-2019-9500 has been rated as a high-severity vulnerability due to the potential for remote code execution via a heap buffer overflow.

2

How do I fix CVE-2019-9500?

To fix CVE-2019-9500, update the Linux kernel to the appropriate patched version specified by your distribution.

3

What systems are affected by CVE-2019-9500?

CVE-2019-9500 affects systems using the brcmfmac driver with Broadcom FullMAC chipsets, particularly within certain Linux kernel versions.

4

Can CVE-2019-9500 be exploited remotely?

Yes, CVE-2019-9500 can be exploited remotely by constructing malicious event frames.

5

What is the impact of exploiting CVE-2019-9500?

Exploiting CVE-2019-9500 can lead to a breach of system integrity, allowing attackers to execute arbitrary code on the affected device.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203