An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503. References: https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/ https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf https://www.eset.com/int/kr00k/
Statement: This issue is present in the Broadcom Wi-Fi client devices firmware and is not fixable in software. While Red Hat ships certain hardware firmware binary blobs via linux-firmware package we rely on the hardware vendors to populate (and document) these firmware binary blobs with updated firmwares at their discretion. As a consequence, we are currently unable to tell whether current linux-firmware packages address this particular vulnerability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-15126