Skip to main content

Linux Kernel EUVDEUVD-2026-28692

| CVE-2026-43386 HIGH
Out-of-bounds Read (CWE-125)
2026-05-08 Linux GHSA-f55f-7vqj-q3f7
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 10:24 vuln.today
CVSS changed
May 26, 2026 - 16:07 NVD
7.1 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 7.1
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie

The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array.

AnalysisAI

Out-of-bounds read in the Linux kernel's rtl8723bs staging Wi-Fi driver allows a local authenticated attacker to read memory beyond the WMM IE buffer and potentially crash the kernel. The flaw resides in rtw_restruct_wmm_ie(), which accesses in_ie[i+5] before validating that the index is within in_len. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but a vendor-released patch is available across multiple stable branches.

Technical ContextAI

The affected code is in drivers/staging/rtl8723bs, the Realtek RTL8723BS SDIO Wi-Fi chipset driver maintained in the kernel's staging tree (used in some ARM single-board computers and low-cost laptops). The function rtw_restruct_wmm_ie() parses WMM (Wi-Fi Multimedia) information elements from association frames or driver-internal IE buffers. The bug is a classic CWE-125 (Out-of-bounds Read): the original code dereferenced in_ie[i + 5] inside the loop body before the bounds check 'i + 5 < in_len' executed, allowing the read to walk past the buffer end. The fix relocates the length comparison to gate the dereference. Affected CPEs are cpe:2.3:a:linux:linux across multiple major branches (4.12 through pre-patch 6.19/7.0 mainline).

RemediationAI

Vendor-released patch: upgrade to one of the fixed Linux stable releases - 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or mainline 7.0 - corresponding to the stable-tree commits at https://git.kernel.org/stable/c/ (e.g., 6ff2243d5e05, a75281626fc8). Distribution users should pull the next Red Hat or SUSE kernel update incorporating these backports. As a compensating control on systems where patching is delayed, blacklist the rtl8723bs module (echo 'blacklist rtl8723bs' > /etc/modprobe.d/rtl8723bs-blacklist.conf, then update initramfs) - the side effect is loss of Wi-Fi on devices that depend on this Realtek chipset (common on Raspberry Pi 3 / some Pi Zero W, certain Pine64 boards, and budget ARM tablets). On servers and systems without RTL8723BS hardware, this mitigation has no functional impact.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy