CVE-2025-71229
Received Received - Intake
Alignment Fault in Linux rtw88 WiFi Driver Causes Kernel Crash

Publication date: 2026-02-18

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems. Do 1 byte reads/writes instead. Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info: ESR = 0x0000000096000021 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x21: alignment fault Data abort info: ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1] SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G W 6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace: rtw_pci_read32+0x18/0x40 [rtw88_pci] (P) rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core] rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core] rtw_c2h_work+0x50/0x98 [rtw88_core] process_one_work+0x178/0x3f8 worker_thread+0x208/0x418 kthread+0x120/0x220 ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-03-18
Generated
2026-05-27
AI Q&A
2026-02-18
EPSS Evaluated
2026-05-25
NVD
CVE-2025-71229
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.1 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.72 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.11 (exc)
linux linux_kernel From 6.5 (inc) to 6.6.125 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can cause the affected system to crash due to an alignment fault when the rtw_core_enable_beacon() function is executed. This results in a kernel panic or system instability, potentially leading to denial of service.

Systems using the affected Realtek rtw88 wifi driver may experience unexpected reboots or loss of network connectivity, impacting availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's wifi driver component rtw88, specifically in the function rtw_core_enable_beacon(). The function attempts to read 4 bytes from a memory address that is not aligned to a multiple of 4, which causes an alignment fault and results in a system crash on some hardware platforms.

The issue is due to improper memory access alignment, and the fix involves changing the code to perform 1 byte reads and writes instead of 4 byte accesses to avoid the alignment fault.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a crash in the Linux kernel related to the rtw88 wifi driver, specifically in the function rtw_core_enable_beacon(). Detection can be done by monitoring kernel logs for crash messages or oops reports indicating an alignment fault in rtw88 modules.

  • Check kernel logs for alignment fault errors related to rtw88 using: dmesg | grep -i rtw88
  • Look for kernel oops or panic messages mentioning rtw_core_enable_beacon or rtw_pci_read32.
  • Use journalctl to review recent kernel errors: journalctl -k | grep -i rtw88

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by changing the code to perform 1 byte reads/writes instead of 4 bytes in rtw_core_enable_beacon(). Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

  • Update your Linux kernel to the latest version that contains the patch for this issue.
  • If updating immediately is not possible, consider disabling the affected rtw88 wifi modules temporarily to prevent crashes.
  • Monitor system stability and kernel logs for related errors until the patch is applied.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart