HIGH
staging rtl8723bs BIP Verification Uninitialized Variable
CVE-2026-31626
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) variable, leaving the last two bytes uninitialized: drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes) Initializing the variable at the start of the function fixes this warning and ensures predictable behavior.
02KernelScan AI Analysis
Risk summary
An uninitialized variable in WiFi security code could lead to unpredictable cryptographic verification results. While the direct security impact is limited since this affects verification rather than key generation, it could potentially cause authentication bypasses or denial of service in WiFi networks using management frame protection.
Vulnerability analysis
Root Cause: In the rtw_BIP_verify() function, a 64-bit variable 'le_tmp64' is declared but not initialized. Later in the function, only 6 bytes are copied into this 8-byte variable using memcpy(), leaving the upper 2 bytes containing uninitialized stack data. This uninitialized data is then used in cryptographic operations for BIP (Broadcast/Multicast Integrity Protocol) verification.
Attack Surface: This vulnerability affects WiFi security operations in the RTL8723BS SDIO WiFi driver. It could be triggered when processing BIP-protected management frames in WiFi networks. The attack surface is local to systems with RTL8723BS hardware and requires the ability to send crafted WiFi management frames to the vulnerable device.
Fix Mechanism: The patch initializes the le_tmp64 variable to zero at declaration time (__le64 le_tmp64 = 0;). This ensures that the upper 2 bytes that aren't overwritten by the 6-byte memcpy() contain predictable zero values instead of random stack data.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 6792624d9331 |
| 5.15 | 5.15.209 | 51532c7c1d35 |
| 6.1 | 6.1.175 | 9e911eead187 |
| 6.12 | 6.12.83 | d5b8f5f8d6fc |
| 6.18 | 6.18.24 | b487a7754d87 |
| 6.19 | 6.19.14 | c2026c6b603e |
| 6.6 | 6.6.136 | c65ee4d3be5d |
| 7.0 | 7.0.1 | ef74ce5f0bc0 |
| mainline | 7.1-rc1 | 8c964b82a4e9 |