CVE-2025-71234
Received Received - Intake
Slab-Out-of-Bounds Write in Linux rtl8xxxu WiFi Driver

Publication date: 2026-02-18

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of struct rtl8xxxu_sta_info through sta->drv_priv, this results in a slab-out-of-bounds write. KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter: BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346 Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12 Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during probe, similar to how hw->vif_data_size is configured. This ensures mac80211 allocates sufficient space for the driver's per-station private data. Tested on StarFive VisionFive 2 v1.2A board.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-02-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-71234
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.1 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.11 (exc)
linux linux_kernel From 6.9 (inc) to 6.12.72 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's rtl8xxxu WiFi driver. The driver fails to set the hw->sta_data_size value, which causes the mac80211 subsystem to allocate insufficient memory for the driver's private station data. When the function rtl8xxxu_sta_add() accesses this private data, it writes beyond the allocated memory boundary, resulting in a slab-out-of-bounds write.

This issue was detected by the Kernel Address Sanitizer (KASAN) on a RISC-V platform using an RTL8192EU adapter, indicating a memory corruption bug due to improper memory allocation size.

The fix involves setting hw->sta_data_size to the correct size of the driver's private station info structure during the probe phase, ensuring mac80211 allocates enough space.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption in the Linux kernel's WiFi driver, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Since the issue involves a slab-out-of-bounds write, it could be exploited to compromise the security and reliability of devices using the affected driver, especially those running on platforms like RISC-V with the RTL8192EU adapter.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by the driver not setting hw->sta_data_size, leading to insufficient memory allocation and a slab-out-of-bounds write.

To mitigate this vulnerability, ensure that the driver sets hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during the probe phase, similar to how hw->vif_data_size is configured.

Applying the patch or updating to a Linux kernel version that includes this fix will prevent the slab-out-of-bounds write.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart