Skip to main content

Linux Kernel CVE-2026-43159

| EUVDEUVD-2026-27718 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-3fch-xpx6-pcr2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 12:02 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8723bs: fix null dereference in find_network

The variable pwlan has the possibility of being NULL when passed into rtw_free_network_nolock() which would later dereference the variable.

AnalysisAI

Null pointer dereference in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a locally authenticated user to crash the kernel, resulting in a denial of service. The pwlan variable in find_network() is not validated for NULL before being passed to rtw_free_network_nolock(), which then dereferences it unconditionally. The flaw has been present since Linux 4.12 and is patched across all active stable branches; no public exploit exists and EPSS sits at 0.02%, confirming negligible exploitation activity.

Technical ContextAI

The affected code resides in drivers/staging/net/wireless/rtl8723bs, the staging (pre-mainline) driver for the Realtek RTL8723BS Wi-Fi chipset, commonly embedded in ARM-based SBCs, IoT hardware, and budget laptops. CWE-476 (NULL Pointer Dereference) is the root cause: the find_network() function can return NULL under certain Wi-Fi network scan conditions, and this return value is passed directly into rtw_free_network_nolock() without a NULL guard, triggering a kernel panic. The bug was introduced at commit 554c0a3abf216c991c5ebddcdb2c08689ecd290b (first appearing in Linux 4.12) and propagated across all stable branches until the respective fix commits landed. CPE: cpe:2.3:a:linux:linux:*.

RemediationAI

Upgrade to the appropriate patched kernel version for your stable branch: 5.10.253, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0. Fix commits are indexed at https://git.kernel.org/stable/c/cc3f83b6fb3773ad943365d1cd774b4ec050332e and the related stable-branch commits listed in references. For Red Hat and SUSE deployments, monitor vendor errata channels for kernel security updates incorporating these fixes. As an immediate compensating control on systems where the RTL8723BS chipset is not in use, blacklist the driver module by adding blacklist r8723bs to /etc/modprobe.d/blacklist.conf and running update-initramfs -u; this has no functional side effect on systems without the chipset but eliminates the attack surface entirely. On systems where the chipset is active, restrict local user privileges as the attack requires PR:L access.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy