CVE-2026-43213
Awaiting Analysis Awaiting Analysis - Queue
NULL Pointer Dereference in Realtek rtw89 PCI WiFi Driver

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: <IRQ> rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423 </IRQ> <TASK> rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> To prevent crash, validate rpp_info.seq before using.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-06
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43213
EUVD
EUVD-2026-27775
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's wifi driver rtw89 for PCI devices. It occurs because the hardware sometimes reports an abnormal sequence number in the TX release report. When this happens, the kernel accesses an out-of-bounds element of the wd_ring->pages array, which leads to a NULL pointer dereference and causes the kernel to crash.

The issue is triggered by an invalid sequence number that is not properly validated before use. The fix involves validating the sequence number (rpp_info.seq) before accessing the array to prevent the crash.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference triggered by an out-of-bounds array access in the wifi driver. Such a crash can lead to system instability, denial of service, or unexpected reboots, impacting the availability and reliability of systems using the affected driver.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a kernel NULL pointer dereference leading to a crash. Detection can be done by monitoring system logs for kernel oops messages related to the rtw89_pci driver, specifically messages indicating a NULL pointer dereference or sequence number validation failure in the TX release report.

You can check the kernel logs using commands such as:

  • dmesg | grep -i 'rtw89_pci'
  • journalctl -k | grep -i 'NULL pointer dereference'
  • journalctl -k | grep -i 'rtw89_pci_release_tx'

These commands help identify if the kernel has logged any crashes or errors related to this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the rtw89 driver includes the fix that validates the sequence number of the TX release report before use.

If an immediate update is not possible, consider disabling the affected wifi driver (rtw89) or the affected hardware temporarily to prevent kernel crashes.

Monitoring system stability and avoiding workloads that trigger the wifi TX release report may also reduce the risk until a patch is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart