Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with loaded staging driver required; only availability impacted via kernel panic; no confidentiality or integrity effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc
The return value of kzalloc_flex() is used without ensuring that the allocation succeeded, and the pointer is dereferenced unconditionally.
Guard the access to the allocated structure to avoid a potential NULL pointer dereference if the allocation fails.
AnalysisAI
NULL pointer dereference in the rtl8723bs staging WiFi driver crashes the Linux kernel when memory allocation fails in rtw_cbuf_alloc(). Systems running Linux 7.0 with an RTL8723BS chipset and the staging driver loaded are affected; a local low-privileged user can trigger a kernel panic resulting in denial of service. No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation probability.
Technical ContextAI
The flaw resides in drivers/staging/rtl8723bs/os_dep/, a staging-tree driver for the Realtek RTL8723BS 802.11n WiFi SoC found primarily in budget ARM embedded and IoT devices. CWE-476 (NULL Pointer Dereference) identifies the root cause: kzalloc_flex(), a kernel flex-array allocator, can return NULL under memory pressure, but rtw_cbuf_alloc() dereferences its return value unconditionally rather than checking for allocation failure first. Staging drivers in the Linux tree carry lower code-quality guarantees than mainline subsystems, making unchecked allocations a recurring pattern. The fix guards the pointer access with a NULL check before any dereference. CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covers the full Linux kernel product space, but exploitability is constrained to systems with this specific hardware.
RemediationAI
Upgrade to Linux kernel 7.0.7 or 7.1-rc3 or later, which include the upstream fixes available at https://git.kernel.org/stable/c/0a5f411becfb7c57aa89827213d31ef23a03d75a and https://git.kernel.org/stable/c/bc851db06045a40c18233dd76ef0562d7f8bb6db. For systems that do not use the RTL8723BS WiFi adapter, blacklisting the module entirely (adding 'blacklist r8723bs' to /etc/modprobe.d/blacklist.conf and running depmod) eliminates the attack surface with no functional side effects, since the driver only activates on systems with the matching hardware. Systems relying on this chipset for connectivity cannot use the blacklist approach and must patch. Distribution vendors maintaining 7.0.x LTS branches should apply the stable backport commits.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35170
GHSA-qq6x-p5c6-gqp6