Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add

The driver does not set hw->sta_data_size, which causes mac80211 to
allocate insufficient space for driver private station data in
__sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of
struct rtl8xxxu_sta_info through sta->drv_priv, this results in a
slab-out-of-bounds write.

KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:

BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346
Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12

Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during
probe, similar to how hw->vif_data_size is configured. This ensures
mac80211 allocates sufficient space for the driver's per-station
private data.

Tested on StarFive VisionFive 2 v1.2A board.
Published: 2026-02-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption via slab‑out‑of‑bounds write, potentially exposing the kernel to loss of integrity or privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The rtl8xxxu wireless driver fails to set the hardware station data size, causing mac80211 to allocate insufficient memory for driver private station data. When the driver subsequently accesses this memory, a slab‑out‑of‑bounds write occurs, as confirmed by a KASAN report on VisionFive 2. This overflow can corrupt kernel memory and may lead to loss of integrity or privilege escalation if exploited. The associated weaknesses are identified as CWE‑476 (null pointer dereference) and CWE‑787 (out‑of‑bounds read or write).

Affected Systems

Linux kernel systems that use the rtl8xxxu driver – notably kernel distributions that ship this driver as part of the standard kernel module set. The impact applies to all supported kernel versions that lack the patch setting hw->sta_data_size during probe, with particular exposure on architectures such as RISC‑V where the bug was reproduced.

Risk and Exploitability

The CVSS score of 7.8 indicates a high level of severity. However, the EPSS score is reported as < 1 %, showing a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to be able to influence the driver’s operation, likely by sending crafted management frames or manipulating the wireless interface, which is a local or remote attack vector depending on device configuration. Given the low EPSS, immediate risk to unpatched systems is moderate but could increase if the flaw becomes widely exploited.

Generated by OpenCVE AI on April 20, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel that includes the rtl8xxxu driver fix (commit 116f7bd… or later).
  • Reboot the system to load the updated kernel and any rebuilt modules.
  • If an update cannot be applied immediately, temporarily unload or disable the rtl8xxxu module (e.g., with modprobe -r rtl8xxxu) until the fix is available.

Generated by OpenCVE AI on April 20, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6141-1 linux security update
History

Wed, 18 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
References

Fri, 20 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Moderate

Wed, 18 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of struct rtl8xxxu_sta_info through sta->drv_priv, this results in a slab-out-of-bounds write. KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter: BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346 Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12 Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during probe, similar to how hw->vif_data_size is configured. This ensures mac80211 allocates sufficient space for the driver's per-station private data. Tested on StarFive VisionFive 2 v1.2A board.
Title wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:22.392Z

Reserved: 2026-02-18T14:25:13.845Z

Link: CVE-2025-71234

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T16:22:30.190

Modified: 2026-03-18T17:13:08.443

Link: CVE-2025-71234

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2025-71234 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses