Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Adjacent radio delivery (AV:A) of a crafted management frame, no auth or interaction (PR:N/UI:N), unsigned underflow yields OOB read enabling kernel memory leak (C:H) and crash (A:H), no integrity impact.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction
Add guards to ensure ie_length is large enough before subtracting fixed IE offsets to prevent unsigned integer underflow.
AnalysisAI
Memory-safety flaw in the Linux kernel's staging rtl8723bs Realtek SDIO Wi-Fi driver allows an adjacent (radio-range) attacker to trigger an unsigned-integer underflow in the rtw_mlme information-element parsing path, leading to out-of-bounds reads that can disclose kernel memory or crash the system. The bug occurs because ie_length was not validated before fixed IE offsets were subtracted from it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running the Linux kernel rtl8723bs staging driver (i.e., a device with a Realtek RTL8723BS SDIO Wi-Fi chip and the driver loaded and active), and the attacker must be within wireless radio range (CVSS AV:A) to deliver a crafted 802.11 management frame with an undersized Information Element. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker within Wi-Fi range of a vulnerable device crafts an 802.11 management frame containing a malformed Information Element whose declared/effective length is smaller than the fixed IE offsets the driver subtracts. When rtw_mlme parses it, ie_length underflows to a huge unsigned value, and the driver reads far beyond the frame buffer - crashing the kernel (DoS) or potentially leaking adjacent kernel memory. … |
| Remediation | Apply the upstream kernel fix: update to a stable kernel containing commits 542d65a6dbd9733baab96313c9fe76a76e93f484 and 88e994c57a79f62d5338231d8d37ee8dd98baffe (the patch series identified as 7.0.13 and 7.1), available via https://git.kernel.org/stable/c/542d65a6dbd9733baab96313c9fe76a76e93f484 and https://git.kernel.org/stable/c/88e994c57a79f62d5338231d8d37ee8dd98baffe; on distribution kernels, install the vendor's updated stable kernel package. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory systems running the rtl8723bs Realtek SDIO Wi-Fi driver to assess exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-191 – Integer Underflow
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39269
GHSA-c9gv-4j5c-v56g