Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local low-priv trigger of an over-read (AV:L/AC:L/PR:L) disclosing adjacent kernel memory (C:H) and risking a driver crash (A:H); no data modification (I:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix buffer over-read in rtw_update_protection
rtw_update_protection() is called with a pointer offset into the ies buffer but the full ie_length is passed, causing a potential buffer over-read.
AnalysisAI
Out-of-bounds kernel memory read in the Linux kernel's rtl8723bs staging Wi-Fi driver (Realtek RTL8723BS SDIO) lets a local low-privileged actor read past the intended information-element (IE) buffer. rtw_update_protection() receives a pointer already offset into the ies buffer while still being passed the full ie_length, so parsing walks beyond the valid data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running the rtl8723bs staging driver - actual Realtek RTL8723BS SDIO Wi-Fi hardware must be present and the module loaded, which is the primary limiting factor and is not a default on most servers or enterprise endpoints. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N, C:H/I:N/A:H, base 7.1) frames this as a locally-triggered issue yielding kernel memory disclosure and potential denial of service, with no integrity impact - consistent with an over-read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a device using the RTL8723BS Wi-Fi chipset, an attacker with local low-privileged access (or, if the call path is reached via received frames, a nearby rogue access point) causes the driver to parse crafted information elements. rtw_update_protection() then reads past the IE buffer, leaking adjacent kernel memory or crashing the driver. … |
| Remediation | Vendor-released patch: upgrade to Linux kernel 6.18.36, 7.0.13, or 7.1 (or later on your branch), which correct the pointer/length mismatch in rtw_update_protection(); the upstream fixes are the commits at https://git.kernel.org/stable/c/735dabdf21561a24d8bcae456c9c32f7f961a029 and its stable backports (303f65af819f6d5aa302e82bce72b57a8575faea, 514ab98364595007d4557ecc85d7e5f012c504d3, c35ce55b12bb8fcd365daeb516e9782048119b36). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running the rtl8723bs staging driver (common in some Linux distributions and embedded systems). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39270
GHSA-jr2w-mc6v-cfpj