Skip to main content

Linux Kernel rtl8723bs CVE-2026-31626

| EUVDEUVD-2026-25519 HIGH
Use of Uninitialized Resource (CWE-908)
2026-04-24 Linux GHSA-cxgj-pqq4-q34h
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 20:52 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 15:36 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.1 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25519
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()

Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data.

Smatch warns that only 6 bytes are copied to this 8-byte (u64) variable, leaving the last two bytes uninitialized:

drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)

Initializing the variable at the start of the function fixes this warning and ensures predictable behavior.

AnalysisAI

Uninitialized memory read in Linux kernel's rtl8723bs Wi-Fi driver allows adjacent network attackers to cause denial of service or potentially corrupt integrity through malformed BIP (Broadcast/Multicast Integrity Protocol) frames. The vulnerability affects the staging rtl8723bs driver where only 6 bytes are copied into an 8-byte variable during BIP verification, leaving 2 bytes uninitialized. Patches available across multiple stable kernel versions (6.12.83, 6.18.24, 6.19.14, 7.0.1). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Not listed in CISA KEV, and no public exploit identified at time of analysis.

Technical ContextAI

This vulnerability exists in the rtl8723bs wireless driver's implementation of BIP (Broadcast/Multicast Integrity Protocol), part of IEEE 802.11w management frame protection. The rtw_BIP_verify() function in rtw_security.c copies only 6 bytes into the 64-bit (8-byte) le_tmp64 variable, leaving the upper 2 bytes containing uninitialized stack memory. This occurs during cryptographic verification of management frames. When this uninitialized data is subsequently used in calculations or comparisons, it can lead to unpredictable behavior including verification bypass or memory corruption. The rtl8723bs driver is a staging driver for Realtek 8723BS wireless chipsets commonly found in budget tablets and embedded devices. The root cause is improper buffer initialization before partial data copy operations, though no specific CWE classification was assigned by NVD.

RemediationAI

Update to patched Linux kernel stable versions 6.12.83, 6.18.24, 6.19.14, 7.0.1 or later, depending on your kernel branch. Upstream fixes available in commits d5b8f5f8d6fc09a8af5ed139c688660f578ed732 (mainline), b487a7754d874230299d5a9c2710ec4df8b2ed8a, c2026c6b603ebec52f55015496703fe79077accf, and ef74ce5f0bc0e53ce702d8a794f3957884a26efc (stable branches) from https://git.kernel.org/stable/. If immediate patching is not feasible, disable the rtl8723bs driver via kernel module blacklist (add 'blacklist r8723bs' to /etc/modprobe.d/blacklist.conf) if not required for hardware operation - this eliminates attack surface but renders affected Realtek 8723BS Wi-Fi chipsets non-functional, requiring alternative network connectivity (Ethernet or USB Wi-Fi adapter). Alternatively, restrict wireless network access to trusted adjacent devices only and implement 802.11w management frame protection at the access point level, though this does not fully mitigate the driver-level memory handling issue. Network segmentation to isolate devices with vulnerable drivers reduces blast radius of potential DoS impact. Monitor kernel logs for rtl8723bs-related crashes or anomalies as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31626 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy