HIGH Published 2026-05-06

wifi/rtw89 TxRelease OOB

CVE-2026-43213

CVSS 7.5 / 10.0 NVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: <IRQ> rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423 </IRQ> <TASK> rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> To prevent crash, validate rpp_info.seq before using.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems with Realtek RTW89 PCIe WiFi hardware are vulnerable to denial of service and potential information disclosure. An attacker within WiFi range can trigger an out-of-bounds read during TX release report processing, which may leak small amounts of kernel memory and leads to a NULL pointer dereference and kernel crash in interrupt context.

Affecteddrivers/net/wireless/realtek/rtw89/pci.c (WiFi driver)

Vulnerability analysis

The vulnerability occurs in rtw89_pci_release_rpp() where a sequence number (rpp_info.seq) received from the WiFi hardware via PCIe is used as an array index into wd_ring->pages without validation. Because the sequence number is attacker-influenced over the wireless interface and unbounded, the out-of-bounds read can access arbitrary kernel memory. In the observed crash path, the out-of-bounds read returns a NULL pointer that is subsequently dereferenced, causing a kernel oops in softirq/IRQ thread context. The fix adds a bounds check (rpp_info.seq >= RTW89_PCI_TXWD_NUM_MAX) before indexing the array. The bug is reachable over WiFi (802.11) from an adjacent attacker and requires no privileges on the target system.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.16	`ef7fa19809b2`
6.19	6.19.6	`b342dd13aedc`
mainline	7.0	`957eda596c76`