CVE-2026-23073
Unknown Unknown - Not Provided
Memory Corruption in Linux RSI WiFi Driver Due to Missing VIF Data Size

Publication date: 2026-02-04

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23073
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 5.11 (inc) to 5.15.199 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.162 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.122 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.68 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.8 (exc)
linux linux_kernel 6.19
linux linux_kernel From 3.15 (inc) to 5.10.249 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to memory corruption in the Linux kernel, which may cause system instability or crashes when using the affected WiFi driver (RSI911x).

An attacker or a user with access to the system could trigger the vulnerability by manipulating the network interface (e.g., bringing the wlan0 interface up and down), potentially causing denial of service (DoS) due to kernel crashes.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to apply the fix that sets the correct size of the vif driver data to the size of struct vif_priv. This ensures that sufficient memory is allocated and prevents memory corruption.

Until the fix is applied, avoid triggering the vulnerable code path by not bringing the wlan0 interface up and down repeatedly, as this sequence causes the crash.

Additionally, updating the Linux kernel to a version that includes this fix is recommended to fully resolve the issue.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by triggering the conditions that cause the memory corruption and crash in the RSI911x WiFi driver. Specifically, the issue occurs when the vif driver data size is not set, leading to out-of-bounds memory access.

A simple way to test for the vulnerability is to boot the affected machine with init=/bin/sh, mount devtmpfs, sysfs, and procfs, then execute the following commands:

  • ip link set wlan0 up
  • sleep 1
  • ip link set wlan0 down

If the system crashes or exhibits memory corruption after these commands, it indicates the presence of the vulnerability.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's WiFi driver for the RSI911x device. The issue arises because the driver does not set the size of the vif driver data when allocating memory for the ieee80211_vif structure. As a result, no extra memory is allocated for the vif driver data, but the driver still attempts to use this space to store its private data.

This leads to out-of-bounds memory access and corruption. Specifically, when the driver writes to vif->drv_priv, it overwrites memory beyond the allocated structure, corrupting other kernel data structures. This corruption can cause crashes when the kernel later accesses the corrupted memory.

The vulnerability can be triggered by simple network interface commands such as bringing the wlan0 interface up and down, causing a crash due to memory corruption.

The fix involves correctly setting the size of the vif driver data to the size of the driver's private data structure, ensuring proper memory allocation and preventing corruption.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart