CVE-2026-43213
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in Realtek rtw89 PCI WiFi Driver

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: <IRQ> rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423 </IRQ> <TASK> rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> To prevent crash, validate rpp_info.seq before using.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43213
EUVD
EUVD-2026-27775
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.16 (inc) to 6.18.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's wifi driver rtw89 for PCI devices. It occurs because the hardware sometimes reports an abnormal sequence number in the TX release report. When this happens, the kernel accesses an out-of-bounds element of the wd_ring->pages array, which leads to a NULL pointer dereference and causes the kernel to crash.

The issue is triggered by an invalid sequence number that is not properly validated before use. The fix involves validating the sequence number (rpp_info.seq) before accessing the array to prevent the crash.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference triggered by an out-of-bounds array access in the wifi driver. Such a crash can lead to system instability, denial of service, or unexpected reboots, impacting the availability and reliability of systems using the affected driver.

Detection Guidance

This vulnerability causes a kernel NULL pointer dereference leading to a crash. Detection can be done by monitoring system logs for kernel oops messages related to the rtw89_pci driver, specifically messages indicating a NULL pointer dereference or sequence number validation failure in the TX release report.

You can check the kernel logs using commands such as:

  • dmesg | grep -i 'rtw89_pci'
  • journalctl -k | grep -i 'NULL pointer dereference'
  • journalctl -k | grep -i 'rtw89_pci_release_tx'

These commands help identify if the kernel has logged any crashes or errors related to this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the rtw89 driver includes the fix that validates the sequence number of the TX release report before use.

If an immediate update is not possible, consider disabling the affected wifi driver (rtw89) or the affected hardware temporarily to prevent kernel crashes.

Monitoring system stability and avoiding workloads that trigger the wifi TX release report may also reduce the risk until a patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart