HIGH
rtlwifi TID Array OOB
CVE-2025-71100
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type 'rtl_tid_data [9]'
02KernelScan AI Analysis
Risk summary
An attacker within WiFi range can send specially crafted WiFi frames with invalid TID values to trigger out-of-bounds memory access in the kernel WiFi driver. This could potentially lead to system crashes, memory corruption, or in worst case scenarios, privilege escalation.
Vulnerability analysis
Root Cause: The function rtl92cu_tx_fill_desc() uses a TID (Traffic Identifier) value obtained from ieee80211_get_tid() to index into the sta_entry->tids[] array without bounds checking. The TID value can be up to 15 (0xF) but the tids array only has MAX_TID_COUNT (9) elements, allowing out-of-bounds access when TID >= 9.
Attack Surface: This vulnerability affects systems with Realtek RTL8192CU WiFi hardware. It can be triggered by receiving WiFi frames with TID values >= 9, which could come from any WiFi client or access point within radio range. No special privileges are required to send such frames.
Fix Mechanism: The patch adds a bounds check 'if (tid < MAX_TID_COUNT)' before accessing sta_entry->tids[tid]. This prevents array indexing beyond the allocated bounds and only accesses the agg_state when the TID is within valid range.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.64 | 9765d6eb8298 |
| 6.18 | 6.18.4 | 90a15ff32464 |
| mainline | 6.19 | dd39edb445f0 |