Skip to main content

Linux Kernel CVE-2026-46305

| EUVDEUVD-2026-35170 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-08 Linux GHSA-qq6x-p5c6-gqp6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with loaded staging driver required; only availability impacted via kernel panic; no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 15:44 vuln.today
CVSS changed
Jul 08, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

The return value of kzalloc_flex() is used without ensuring that the allocation succeeded, and the pointer is dereferenced unconditionally.

Guard the access to the allocated structure to avoid a potential NULL pointer dereference if the allocation fails.

AnalysisAI

NULL pointer dereference in the rtl8723bs staging WiFi driver crashes the Linux kernel when memory allocation fails in rtw_cbuf_alloc(). Systems running Linux 7.0 with an RTL8723BS chipset and the staging driver loaded are affected; a local low-privileged user can trigger a kernel panic resulting in denial of service. No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation probability.

Technical ContextAI

The flaw resides in drivers/staging/rtl8723bs/os_dep/, a staging-tree driver for the Realtek RTL8723BS 802.11n WiFi SoC found primarily in budget ARM embedded and IoT devices. CWE-476 (NULL Pointer Dereference) identifies the root cause: kzalloc_flex(), a kernel flex-array allocator, can return NULL under memory pressure, but rtw_cbuf_alloc() dereferences its return value unconditionally rather than checking for allocation failure first. Staging drivers in the Linux tree carry lower code-quality guarantees than mainline subsystems, making unchecked allocations a recurring pattern. The fix guards the pointer access with a NULL check before any dereference. CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covers the full Linux kernel product space, but exploitability is constrained to systems with this specific hardware.

RemediationAI

Upgrade to Linux kernel 7.0.7 or 7.1-rc3 or later, which include the upstream fixes available at https://git.kernel.org/stable/c/0a5f411becfb7c57aa89827213d31ef23a03d75a and https://git.kernel.org/stable/c/bc851db06045a40c18233dd76ef0562d7f8bb6db. For systems that do not use the RTL8723BS WiFi adapter, blacklisting the module entirely (adding 'blacklist r8723bs' to /etc/modprobe.d/blacklist.conf and running depmod) eliminates the attack surface with no functional side effects, since the driver only activates on systems with the matching hardware. Systems relying on this chipset for connectivity cannot use the blacklist approach and must patch. Distribution vendors maintaining 7.0.x LTS branches should apply the stable backport commits.

Share

CVE-2026-46305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy