A slab-out-of-bounds read bug in the Broadcom Full MAC Wi-Fi driver (e.g., brcmfmac.ko in the linux-modules-extra package in Ubuntu).
The bug occurs in kmemdup() called from brcmf_get_assoc_ies(), when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which is defined as WL_EXTRA_BUF_MAX.
The driver duplicates the data of cfg->extra_buf to conn_info->req_ie as much as assoc_info->req_le, which could exceed the size of the buffer.
The data passes through cfg80211_connect_done(), __cfg80211_connect_result(); in the end, it reaches nl80211_send_connect_result() that will form netlink messages with the data read outside the bounds of the buffer.
This data, which may contain sensitive information in the kernel, could be sent to a userspace socket by __netlink_sendskb() during this multicasting process.
The information you give is very relevant to me especially when I play https://tunnelrush.co/ it will help me to fully focus on speed.