HIGH
wifi RTW89 OOB
CVE-2026-43176
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate release report content before using for RTL8922DE The commit 957eda596c76 ("wifi: rtw89: pci: validate sequence number of TX release report") does validation on existing chips, which somehow a release report of SKB becomes malformed. As no clear cause found, add rules ahead for RTL8922DE to avoid crash if it happens.
02KernelScan AI Analysis
Risk summary
Systems with RTL8922DE WiFi chips are vulnerable to kernel crashes from malformed firmware TX release reports. An attacker within WiFi range can induce the firmware to produce malformed reports, triggering out-of-bounds memory access in the host driver and causing a denial of service via kernel crash.
Vulnerability analysis
The vulnerability occurs in the RTW89 PCI driver's release report processing where the txch field from the WiFi firmware is insufficiently validated before use as an array index or bit offset. The original code only checked for one specific invalid value (RTW89_TXCH_CH12) but didn't validate the range or DMA channel mask. The fix adds comprehensive bounds checking to ensure txch is within valid range and not in forbidden DMA channels, preventing out-of-bounds access when the value is used elsewhere in the driver.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.16 | ebeaa3b24ba5 |
| 6.19 | 6.19.6 | 3e8a88b5e8b3 |
| mainline | 7.0 | 5f93d611b33a |