Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h
AnalysisAI
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to access and modify kernel memory through debug ioctl handlers (0x89F5/0x89F6) that were left enabled in production builds. All known SDK versions through v3.4.14B are affected. A publicly available exploit exists (GitHub repository CVE-2026-36355), enabling privilege escalation and data exfiltration on devices using the vulnerable rtl8192cd driver. EPSS data unavailable; not currently in CISA KEV.
Technical ContextAI
The vulnerability exists in the rtl8192cd kernel driver component of Realtek's rtl819x Jungle Software Development Kit, which provides Wi-Fi functionality for embedded Linux devices. The root cause (CWE-200: Information Disclosure) stems from two debug ioctl handlers - write_mem (0x89F5) and read_mem (0x89F6) - that were intended for development/debugging but remained active in production firmware due to the unconditional definition of the _IOCTL_DEBUG_CMD_ preprocessor macro in 8192cd_cfg.h. These handlers provide direct kernel memory access primitives without implementing any authorization checks, permission boundaries, or capability requirements. This SDK is commonly integrated into consumer routers, access points, and IoT devices from multiple manufacturers who incorporate Realtek wireless chipsets, creating widespread exposure across the embedded device ecosystem.
RemediationAI
No vendor-released patch version has been identified at time of analysis. Device owners should check manufacturer support pages for firmware updates addressing CVE-2026-36355, as OEM vendors must integrate fixes from Realtek and release updated firmware packages. For devices without available patches, implement compensating controls with understanding of operational trade-offs: (1) Disable Wi-Fi driver module if wired connectivity suffices (prevents normal wireless operation); (2) Restrict physical and management interface access to trusted administrators only, reducing local access attack surface; (3) Deploy network segmentation isolating affected devices from sensitive systems (does not prevent device compromise but limits lateral movement); (4) Monitor for unusual ioctl system calls or kernel memory access patterns through host-based intrusion detection if available. For embedded devices at end-of-life, replacement with patched hardware may be the only effective long-term mitigation. Exploitation proof-of-concept available at https://github.com/totekuh/CVE-2026-36355 can be used for defensive testing of deployed devices. Advisory reference: https://nvd.nist.gov/vuln/detail/CVE-2026-36355.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27325