NixOS · masrlinu · Nov 13, 2025 · Nov 13, 2025 · Nov 13, 2025
diff --git a/apple/imac/14-2/default.nix b/apple/imac/14-2/default.nix
@@ -13,25 +13,55 @@
     ../../../common/hidpi.nix
   ];
 
-  boot = {
-    initrd.kernelModules = [
-      "applesmc"
-      "applespi"
-      "intel_lpss_pci"
-      "spi_pxa2xx_platform"
-      "kvm-intel"
-    ];
-    blacklistedKernelModules = [
-      "b43"
-      "ssb"
-      "brcmfmac"
-      "brcmsmac"
-      "bcma"
-    ];
-    kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest;
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
   };
 
-  hardware = {
-    bluetooth.enable = lib.mkDefault true;
+  config = {
+    boot = {
+      initrd.kernelModules = [
+        "applesmc"
+        "applespi"
+        "intel_lpss_pci"
+        "spi_pxa2xx_platform"
+        "kvm-intel"
+      ];
+      blacklistedKernelModules = [
+        "b43"
+        "ssb"
+        "brcmfmac"
+        "brcmsmac"
+        "bcma"
+      ];
+      kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.0") pkgs.linuxPackages_latest;
+      extraModulePackages =
+        lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
+          [
+            (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+              meta = oldAttrs.meta // {
+                knownVulnerabilities = [ ];
+              };
+            }))
+          ];
+    };
+
+    hardware = {
+      bluetooth.enable = lib.mkDefault true;
+    };
   };
 }
diff --git a/apple/macbook-air/6/default.nix b/apple/macbook-air/6/default.nix
@@ -3,14 +3,47 @@
 {
   imports = [ ../. ];
 
-  boot.blacklistedKernelModules = [ "bcma" ];
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
 
-  boot = {
-    # Divides power consumption by two.
-    kernelParams = [ "acpi_osi=" ];
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
   };
 
-  services.xserver.deviceSection = lib.mkDefault ''
-    Option "TearFree" "true"
-  '';
+  config = {
+    boot = {
+      # Divides power consumption by two.
+      kernelParams = [ "acpi_osi=" ];
+
+      blacklistedKernelModules = [ "bcma" ];
+      kernelModules = lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [
+        "wl"
+      ];
+      extraModulePackages =
+        lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
+          [
+            (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+              meta = oldAttrs.meta // {
+                knownVulnerabilities = [ ];
+              };
+            }))
+          ];
+    };
+
+    services.xserver.deviceSection = lib.mkDefault ''
+      Option "TearFree" "true"
+    '';
+  };
 }
diff --git a/apple/macbook-pro/11-1/default.nix b/apple/macbook-pro/11-1/default.nix
@@ -6,5 +6,38 @@
     ../../../common/cpu/intel/haswell
   ];
 
-  hardware.enableRedistributableFirmware = lib.mkDefault true;
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
+  };
+
+  config = {
+    hardware.enableRedistributableFirmware = lib.mkDefault true; # broadcom-wl
+    boot.kernelModules =
+      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
+        [ "wl" ];
+    boot.extraModulePackages =
+      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
+        [
+          (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+            meta = oldAttrs.meta // {
+              knownVulnerabilities = [ ];
+            };
+          }))
+        ];
+  };
 }
diff --git a/dell/inspiron/3442/default.nix b/dell/inspiron/3442/default.nix
@@ -6,8 +6,42 @@
     ../../../common/pc/laptop
   ];
 
-  services = {
-    fwupd.enable = lib.mkDefault true;
-    thermald.enable = lib.mkDefault true;
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
+  };
+
+  config = {
+    boot.kernelModules =
+      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
+        [ "wl" ];
+    boot.extraModulePackages =
+      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
+        [
+          (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+            meta = oldAttrs.meta // {
+              knownVulnerabilities = [ ];
+            };
+          }))
+        ];
+
+    services = {
+      fwupd.enable = lib.mkDefault true;
+      thermald.enable = lib.mkDefault true;
+    };
   };
 }
diff --git a/dell/xps/13-9343/default.nix b/dell/xps/13-9343/default.nix
@@ -7,14 +7,43 @@
     ../../../common/pc/ssd
   ];
 
-  services = {
-    fwupd.enable = lib.mkDefault true;
-    thermald.enable = lib.mkDefault true;
+  options = {
+    hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = ''
+        Enable the legacy Broadcom WiFi driver (wl) with known security vulnerabilities.
+
+        This driver is vulnerable to heap buffer overflows:
+        - CVE-2019-9501 (https://github.com/advisories/GHSA-vjw8-c937-7hwp)
+        - CVE-2019-9502 (https://github.com/advisories/GHSA-4rfg-8q34-prmp)
+
+        Attackers within WiFi range can exploit this vulnerability by sending crafted
+        WiFi packets, even without being connected to the same network. Simply having
+        WiFi enabled makes the system vulnerable to arbitrary code execution or denial-of-service.
+        Only enable if no alternative WiFi solution is available.
+      '';
+    };
   };
 
-  boot = {
-    kernelModules = [
+  config = {
+    boot.kernelModules = [
       "kvm-intel"
-    ];
+    ]
+    ++ lib.optionals config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities [ "wl" ];
+    boot.extraModulePackages =
+      lib.mkIf config.hardware.broadcom.wifi.enableLegacyDriverWithKnownVulnerabilities
+        [
+          (config.boot.kernelPackages.broadcom_sta.overrideAttrs (oldAttrs: {
+            meta = oldAttrs.meta // {
+              knownVulnerabilities = [ ];
+            };
+          }))
+        ];
+
+    services = {
+      fwupd.enable = lib.mkDefault true;
+      thermald.enable = lib.mkDefault true;
+    };
   };
 }