CVE-2025-68256 - Vulnerability Details

- staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser

Description

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser

The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.

Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.

This prevents OOB reads and ensures the parser terminates safely on
malformed frames.

Published: 2025-12-16

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is located in the rtl8723bs wireless driver’s rtw_get_ie() Information Element parser. It treats the length byte of each IE as trustworthy without guaranteeing that the IE body fits within the remaining frame buffer. When an attacker sends a malformed frame that advertises an IE length larger than the actual data, the parser will increment its pointer past the buffer end, resulting in out‑of‑bounds memory reads or, in certain patterns, an infinite loop. The out‑of‑bounds read could expose kernel memory contents, leading to information disclosure, and the loop could degrade system availability.

Affected Systems

The flaw exists in the Linux kernel’s staging rtl8723bs driver. Any kernel build that contains an unpatched rtl8723bs driver before the commit that introduces the fix is vulnerable. No specific vendor or version list is supplied, so all Linux kernels using the unpatched driver are potentially affected.

Risk and Exploitability

The EPSS score is reported as less than 1%, indicating a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely exploited. However, the likely attack vector is remote: an adversary could forge an 802.11 frame with a malicious Information Element and transmit it to a target device that loads the rtl8723bs driver. The out‑of‑bounds read may reveal kernel memory and could compromise confidentiality; the infinite‑loop scenario may affect availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`554c0a3abf216c991c5ebddcdb2c08689ecd290b`	affected	< 9829c6e1b2e4180fd18315252ad6faeab6128076
`554c0a3abf216c991c5ebddcdb2c08689ecd290b`	affected	< b977eb31802817f4a37da95bf16bfdaa1eeb5fc2
`554c0a3abf216c991c5ebddcdb2c08689ecd290b`	affected	< 30c558447e90935f0de61be181bbcedf75952e00
`554c0a3abf216c991c5ebddcdb2c08689ecd290b`	affected	< a54e2b2db1b7de2e008b4f62eec35aaefcc663c5
`554c0a3abf216c991c5ebddcdb2c08689ecd290b`	affected	< df191dd9f4c7249d98ada55634fa8ac19089b8cb
`554c0a3abf216c991c5ebddcdb2c08689ecd290b`	affected	< c0d93d69e1472ba75b78898979b90a98ba2a2501
`554c0a3abf216c991c5ebddcdb2c08689ecd290b`	affected	< 154828bf9559b9c8421fc2f0d7f7f76b3683aaed

Linux

affected

Version	Status	Constraints
`4.12`	affected	—
`0`	unaffected	< 4.12
`5.15.203`	unaffected	≤ 5.15.*
`6.1.160`	unaffected	≤ 6.1.*
`6.6.120`	unaffected	≤ 6.6.*
`6.12.62`	unaffected	≤ 6.12.*
`6.17.12`	unaffected	≤ 6.17.*
`6.18.1`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that incorporates the rtl8723bs fix or apply the patch from commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed.
If a kernel update cannot be applied immediately, unload or disable the rtl8723bs driver so it cannot process Wi‑Fi frames, eliminating the vulnerable code path.
As a temporary defense, block or filter malformed IEEE 802.11 frames from untrusted sources or use firewall rules to prevent the driver from seeing malicious frames. If the hardware is not required, reconfigure the kernel to exclude the rtl8723bs staging driver (CONFIG_RTL8723BS).

Generated by OpenCVE AI on April 20, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8094-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8094-2	Linux kernel vulnerabilities
Ubuntu USN	USN-8094-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8094-4	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8094-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8152-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8179-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8184-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8179-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8185-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8179-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8203-1	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-8204-1	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-8185-2	Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN	USN-8179-4	Linux kernel (GCP) vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaed
https://git.kernel.org/stable/c/30c558447e90935f0de61be181bbcedf75952e00
https://git.kernel.org/stable/c/9829c6e1b2e4180fd18315252ad6faeab6128076
https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5
https://git.kernel.org/stable/c/b977eb31802817f4a37da95bf16bfdaa1eeb5fc2
https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501
https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb
https://lore.kernel.org/linux-cve-announce/2025121612-CVE-2025-68256-5ed2@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-68256
https://www.cve.org/CVERecord?id=CVE-2025-68256

History

Mon, 20 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-788

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/9829c6e1b2e4180fd18315252ad6faeab6128076

Sun, 11 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/30c558447e90935f0de61be181bbcedf75952e00 https://git.kernel.org/stable/c/b977eb31802817f4a37da95bf16bfdaa1eeb5fc2

Wed, 17 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025121612-CVE-2025-68256-5ed2@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-68256 https://www.cve.org/CVERecord?id=CVE-2025-68256
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 16 Dec 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or, depending on the pattern, an infinite loop. Fix by validating that (offset + 2 + len) does not exceed the limit before accepting the IE or advancing to the next element. This prevents OOB reads and ensures the parser terminates safely on malformed frames.
Title		staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaed https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5 https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501 https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-16T14:44:58.829Z

Updated: 2026-04-18T08:57:11.909Z

Reserved: 2025-12-16T13:41:40.267Z

Link: CVE-2025-68256

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-12-16T15:15:54.990

Modified: 2026-04-18T09:16:12.977

Link: CVE-2025-68256

Redhat

Severity : Moderate

Publid Date: 2025-12-16T00:00:00Z

Links: CVE-2025-68256 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T16:15:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object