Skip to main content

Realtek rtl819x Jungle SDK CVE-2026-36355

| EUVDEUVD-2026-27325 HIGH
Information Exposure (CWE-200)
2026-05-05 mitre
7.7
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 05, 2026 - 18:22 vuln.today
CVSS changed
May 05, 2026 - 18:22 NVD
7.7 (HIGH)

DescriptionCVE.org

The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h

AnalysisAI

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to access and modify kernel memory through debug ioctl handlers (0x89F5/0x89F6) that were left enabled in production builds. All known SDK versions through v3.4.14B are affected. A publicly available exploit exists (GitHub repository CVE-2026-36355), enabling privilege escalation and data exfiltration on devices using the vulnerable rtl8192cd driver. EPSS data unavailable; not currently in CISA KEV.

Technical ContextAI

The vulnerability exists in the rtl8192cd kernel driver component of Realtek's rtl819x Jungle Software Development Kit, which provides Wi-Fi functionality for embedded Linux devices. The root cause (CWE-200: Information Disclosure) stems from two debug ioctl handlers - write_mem (0x89F5) and read_mem (0x89F6) - that were intended for development/debugging but remained active in production firmware due to the unconditional definition of the _IOCTL_DEBUG_CMD_ preprocessor macro in 8192cd_cfg.h. These handlers provide direct kernel memory access primitives without implementing any authorization checks, permission boundaries, or capability requirements. This SDK is commonly integrated into consumer routers, access points, and IoT devices from multiple manufacturers who incorporate Realtek wireless chipsets, creating widespread exposure across the embedded device ecosystem.

RemediationAI

No vendor-released patch version has been identified at time of analysis. Device owners should check manufacturer support pages for firmware updates addressing CVE-2026-36355, as OEM vendors must integrate fixes from Realtek and release updated firmware packages. For devices without available patches, implement compensating controls with understanding of operational trade-offs: (1) Disable Wi-Fi driver module if wired connectivity suffices (prevents normal wireless operation); (2) Restrict physical and management interface access to trusted administrators only, reducing local access attack surface; (3) Deploy network segmentation isolating affected devices from sensitive systems (does not prevent device compromise but limits lateral movement); (4) Monitor for unusual ioctl system calls or kernel memory access patterns through host-based intrusion detection if available. For embedded devices at end-of-life, replacement with patched hardware may be the only effective long-term mitigation. Exploitation proof-of-concept available at https://github.com/totekuh/CVE-2026-36355 can be used for defensive testing of deployed devices. Advisory reference: https://nvd.nist.gov/vuln/detail/CVE-2026-36355.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

CVE-2025-60467 HIGH POC
7.5 Jun 24

Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted

Share

CVE-2026-36355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy