CVE-2025-71234
Received Received - Intake
Slab-Out-of-Bounds Write in Linux rtl8xxxu WiFi Driver

Publication date: 2026-02-18

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of struct rtl8xxxu_sta_info through sta->drv_priv, this results in a slab-out-of-bounds write. KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter: BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346 Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12 Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during probe, similar to how hw->vif_data_size is configured. This ensures mac80211 allocates sufficient space for the driver's per-station private data. Tested on StarFive VisionFive 2 v1.2A board.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-71234
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.1 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.11 (exc)
linux linux_kernel From 6.9 (inc) to 6.12.72 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's rtl8xxxu WiFi driver. The driver fails to set the hw->sta_data_size value, which causes the mac80211 subsystem to allocate insufficient memory for the driver's private station data. When the function rtl8xxxu_sta_add() accesses this private data, it writes beyond the allocated memory boundary, resulting in a slab-out-of-bounds write.

This issue was detected by the Kernel Address Sanitizer (KASAN) on a RISC-V platform using an RTL8192EU adapter, indicating a memory corruption bug due to improper memory allocation size.

The fix involves setting hw->sta_data_size to the correct size of the driver's private station info structure during the probe phase, ensuring mac80211 allocates enough space.

Impact Analysis

This vulnerability can lead to memory corruption in the Linux kernel's WiFi driver, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Since the issue involves a slab-out-of-bounds write, it could be exploited to compromise the security and reliability of devices using the affected driver, especially those running on platforms like RISC-V with the RTL8192EU adapter.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is caused by the driver not setting hw->sta_data_size, leading to insufficient memory allocation and a slab-out-of-bounds write.

To mitigate this vulnerability, ensure that the driver sets hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during the probe phase, similar to how hw->vif_data_size is configured.

Applying the patch or updating to a Linux kernel version that includes this fix will prevent the slab-out-of-bounds write.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart