Skip to main content

Linux Kernel rtw89 CVE-2026-43213

| EUVDEUVD-2026-27775 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-g35v-pp28-72vc
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:38 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw89: pci: validate sequence number of TX release report

Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL pointer dereference.

BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: <IRQ> rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423 </IRQ> <TASK> rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK>

To prevent crash, validate rpp_info.seq before using.

AnalysisAI

Null pointer dereference in Linux kernel Realtek rtw89 WiFi PCI driver allows adjacent network attackers to trigger kernel crashes via malformed TX release reports with abnormal sequence numbers. The vulnerability causes out-of-bounds array access in wd_ring->pages when hardware reports invalid sequence numbers during wireless transmission operations. Vendor-released patches are available for kernel versions 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, though the CVSS vector (AV:A/AC:H/PR:N/UI:N) shows adjacent network access with high attack complexity enables complete system compromise without authentication.

Technical ContextAI

The rtw89 driver (Realtek 802.11ax wireless chipset support) uses ring buffer structures (wd_ring->pages array) to manage PCI DMA transactions for wireless packet transmission. The TX release reporting mechanism allows hardware to signal completion of transmit operations via sequence numbers indexing into these ring buffers. The vulnerability stems from missing bounds validation on hardware-reported sequence numbers in the rtw89_pci_release_tx() function before dereferencing array elements. When malicious or corrupted hardware firmware reports sequence numbers exceeding array bounds, the driver attempts to access unallocated memory regions, triggering NULL pointer dereference in kernel context during NAPI polling (network packet processing). The affected code path executes in interrupt context (irq/129-rtw89_p thread) within net_rx_action softirq handling, making kernel crashes immediately visible. The fix validates rpp_info.seq against array bounds before indexing operations, as documented in upstream commits 957eda596c76, b342dd13aedc, and ef7fa19809b2.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.16 or later in the 6.18.x series, 6.19.6 or later in the 6.19.x series, or 7.0 final release and later. Upstream fixes available at https://git.kernel.org/stable/c/ef7fa19809b2d892d45da53f90ac698d13c367fd (7.0), https://git.kernel.org/stable/c/b342dd13aedccb0dd27365f6cc63a262f42394ce (6.18.16), and https://git.kernel.org/stable/c/957eda596c7665f2966970fd1dcc35fe299b38e8 (6.19.6). For systems unable to immediately patch, unload the rtw89_pci kernel module with 'modprobe -r rtw89_pci' and use alternative wireless hardware or wired networking - this completely removes the vulnerable code path but eliminates WiFi functionality for Realtek rtw89 chipsets. Alternatively, restrict wireless network access to trusted segments only and implement 802.1X authentication to limit adjacent network attack surface, though this mitigation reduces rather than eliminates risk since authenticated adjacent attackers retain exploit capability. Disabling the wireless interface via 'ip link set <interface> down' prevents the driver from processing TX release reports but may not fully protect if the interface is brought up by network management daemons.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy