CVE-2017-0561

CRITICAL

Linux Kernel - Remote Code Execution via Broadcom Wi-Fi Firmware

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-0561. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit targets a heap overflow vulnerability in Broadcom Wi-Fi SoCs (CVE-2017-0561) by crafting malicious TDLS Teardown Request frames. The overflow occurs due to unchecked length fields in Fast Transition IE, leading to arbitrary code execution on vulnerable devices.

Description

A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Google Security Research · textremotehardware
https://www.exploit-db.com/exploits/41805

This exploit targets a heap overflow vulnerability in Broadcom Wi-Fi SoCs (CVE-2017-0561) by crafting malicious TDLS Teardown Request frames. The overflow occurs due to unchecked length fields in Fast Transition IE, leading to arbitrary code execution on vulnerable devices.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Broadcom Wi-Fi SoCs (e.g., BCM4339, BCM4358) with firmware versions up to 6.37.34.40 and 7.112.201.1
No auth needed
Prerequisites: Modified wpa_supplicant and Linux kernel (mac80211) to send crafted TDLS frames · Proximity to target device on the same Wi-Fi network
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · textdoshardware
https://www.exploit-db.com/exploits/41806

This exploit targets a heap overflow vulnerability in Broadcom Wi-Fi SoCs (CVE-2017-0561) by sending a malformed TDLS Setup Confirm frame with an abnormally large RSN IE, leading to a heap buffer overflow in the 'wlc_tdls_cal_mic_chk' function. The PoC includes a patch for wpa_supplicant 2.6 to trigger the vulnerability, causing a denial-of-service (DoS) on affected devices.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Broadcom Wi-Fi SoCs (e.g., BCM4339 with firmware 6.37.34.40)
No auth needed
Prerequisites: Access to a network with a vulnerable Broadcom SoC device · Modified wpa_supplicant with TDLS support
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97367
Patch, Vendor Advisory x_refsource_confirm
https://source.android.com/security/bulletin/2017-04-01
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41805/
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/11/msg00015.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41806/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038201

Scores

CVSS v3 9.8
EPSS 0.3003
EPSS Percentile 98.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (4)
Google Inc./Android Kernel-3.10
Google Inc./Android Kernel-3.18
linux/linux_kernel 3.10
linux/linux_kernel 3.18
Published Apr 07, 2017
Tracked Since Feb 18, 2026