HIGH
staging rtl8723bs WMM OOB
CVE-2026-43386
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI4.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array.
02KernelScan AI Analysis
Risk summary
Adjacent attackers with no privileges can trigger an out-of-bounds read in the RTL8723BS WiFi driver's WMM information element parsing code by transmitting malformed 802.11 management frames (e.g., beacon or probe responses) within Wi-Fi radio range. This can lead to a limited leak of kernel memory (a few bytes) but does not allow code execution or system compromise.
Vulnerability analysis
The vulnerability occurs in rtw_restruct_wmm_ie() where the code accesses in_ie[i + 2] through in_ie[i + 5] before checking if i + 5 < in_len. This allows a small out-of-bounds read past the end of the input IE buffer when processing WMM information elements from received wireless frames. The fix reorders the conditional to perform bounds checking first. Because the input originates from received 802.11 management frames, an attacker within Wi-Fi range can trigger the bug without local system access or privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 6ff2243d5e05 |
| 5.15 | 5.15.203 | 12cc6e8f8d42 |
| 6.1 | 6.1.167 | 209644e25757 |
| 6.12 | 6.12.78 | e14a1148f02e |
| 6.18 | 6.18.19 | 4dd2d9cf563c |
| 6.19 | 6.19.9 | d97fc1b29513 |
| 6.6 | 6.6.130 | 768f25613a9f |
| mainline | 7.0 | a75281626fc8 |