{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-71234", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-02-18T14:25:13.845Z", "datePublished": "2026-02-18T14:53:18.893Z", "dateUpdated": "2026-05-11T21:56:56.064Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:56:56.064Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add\n\nThe driver does not set hw->sta_data_size, which causes mac80211 to\nallocate insufficient space for driver private station data in\n__sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of\nstruct rtl8xxxu_sta_info through sta->drv_priv, this results in a\nslab-out-of-bounds write.\n\nKASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:\n\n BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346\n Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12\n\nSet hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during\nprobe, similar to how hw->vif_data_size is configured. This ensures\nmac80211 allocates sufficient space for the driver's per-station\nprivate data.\n\nTested on StarFive VisionFive 2 v1.2A board."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtl8xxxu/core.c"], "versions": [{"version": "eef55f1545c92c7181d5083453dee1296298ad3e", "lessThan": "5d810ba377eddee95d30766d360a14efbb3d1872", "status": "affected", "versionType": "git"}, {"version": "eef55f1545c92c7181d5083453dee1296298ad3e", "lessThan": "116f7bd8160c6b37d1c6939385abf90f6f6ed2f5", "status": "affected", "versionType": "git"}, {"version": "eef55f1545c92c7181d5083453dee1296298ad3e", "lessThan": "9a0f3fa6ecd0c9c32dbc367a57482bbf7c7d25bf", "status": "affected", "versionType": "git"}, {"version": "eef55f1545c92c7181d5083453dee1296298ad3e", "lessThan": "86c946bcc00f6390ef65e9614ae60a9377e454f8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtl8xxxu/core.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.72", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.72"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5d810ba377eddee95d30766d360a14efbb3d1872"}, {"url": "https://git.kernel.org/stable/c/116f7bd8160c6b37d1c6939385abf90f6f6ed2f5"}, {"url": "https://git.kernel.org/stable/c/9a0f3fa6ecd0c9c32dbc367a57482bbf7c7d25bf"}, {"url": "https://git.kernel.org/stable/c/86c946bcc00f6390ef65e9614ae60a9377e454f8"}], "title": "wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC3EBF44-550D-4B5C-9CD4-93342B1A49F4", "versionEndExcluding": "6.12.72", "versionStartIncluding": "6.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7099A9EC-3D54-4424-BF01-7224EF88C79C", "versionEndExcluding": "6.18.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add\n\nThe driver does not set hw->sta_data_size, which causes mac80211 to\nallocate insufficient space for driver private station data in\n__sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of\nstruct rtl8xxxu_sta_info through sta->drv_priv, this results in a\nslab-out-of-bounds write.\n\nKASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:\n\n BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346\n Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12\n\nSet hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during\nprobe, similar to how hw->vif_data_size is configured. This ensures\nmac80211 allocates sufficient space for the driver's per-station\nprivate data.\n\nTested on StarFive VisionFive 2 v1.2A board."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: rtl8xxxu: correcci\u00f3n de slab-out-of-bounds en rtl8xxxu_sta_add\n\nEl controlador no establece hw->sta_data_size, lo que provoca que mac80211 asigne espacio insuficiente para los datos privados de estaci\u00f3n del controlador en __sta_info_alloc(). Cuando rtl8xxxu_sta_add() accede a miembros de struct rtl8xxxu_sta_info a trav\u00e9s de sta->drv_priv, esto resulta en una escritura slab-out-of-bounds.\n\nInforme KASAN en RISC-V (VisionFive 2) con adaptador RTL8192EU:\n\n BUG: KASAN: slab-out-of-bounds en rtl8xxxu_sta_add+0x31c/0x346\n Escritura de tama\u00f1o 8 en la direcci\u00f3n ffffffd6d3e9ae88 por la tarea kworker/u16:0/12\n\nEstablecer hw->sta_data_size a sizeof(struct rtl8xxxu_sta_info) durante probe, de forma similar a c\u00f3mo se configura hw->vif_data_size. Esto asegura que mac80211 asigne espacio suficiente para los datos privados por estaci\u00f3n del controlador.\n\nProbado en placa StarFive VisionFive 2 v1.2A."}], "id": "CVE-2025-71234", "lastModified": "2026-03-18T17:13:08.443", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-18T16:22:30.190", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/116f7bd8160c6b37d1c6939385abf90f6f6ed2f5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5d810ba377eddee95d30766d360a14efbb3d1872"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/86c946bcc00f6390ef65e9614ae60a9377e454f8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9a0f3fa6ecd0c9c32dbc367a57482bbf7c7d25bf"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add", "id": "2440669", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440669"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nwifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add\nThe driver does not set hw->sta_data_size, which causes mac80211 to\nallocate insufficient space for driver private station data in\n__sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of\nstruct rtl8xxxu_sta_info through sta->drv_priv, this results in a\nslab-out-of-bounds write.\nKASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:\nBUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346\nWrite of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12\nSet hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during\nprobe, similar to how hw->vif_data_size is configured. This ensures\nmac80211 allocates sufficient space for the driver's per-station\nprivate data.\nTested on StarFive VisionFive 2 v1.2A board."], "name": "CVE-2025-71234", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-71234\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-71234\nhttps://lore.kernel.org/linux-cve-announce/2026021805-CVE-2025-71234-3bb7@gregkh/T"], "statement": "A slab out of bounds write can occur in the rtl8xxxu USB wifi driver because hw sta_data_size is not set and mac80211 allocates insufficient per station private storage for sta drv_priv. When rtl8xxxu_sta_add writes fields of struct rtl8xxxu_sta_info via sta drv_priv it can overwrite adjacent slab memory which can crash the kernel and may corrupt kernel state. For the CVSS the PR is L because the bug is typically triggered by local network configuration actions such as enabling the interface and associating stations and these operations commonly require CAP_NET_ADMIN. In some deployments the attacker may only need to be within wireless range if the device is operating as an access point and accepts associations which can make the trigger effectively remote over the air. Impact is at least denial of service. A conservative worst case also considers confidentiality and integrity impact because the flaw is a kernel memory overwrite.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5d810ba377eddee95d30766d360a14efbb3d1872)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,116f7bd8160c6b37d1c6939385abf90f6f6ed2f5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9a0f3fa6ecd0c9c32dbc367a57482bbf7c7d25bf)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.72,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.11,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.1,6.20.0)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-20T18:48:17.646189+00:00", "value": {"mitigation_remediation": ["Upgrade to a Linux kernel that includes the rtl8xxxu driver fix (commit 116f7bd\u2026 or later).", "Reboot the system to load the updated kernel and any rebuilt modules.", "If an update cannot be applied immediately, temporarily unload or disable the rtl8xxxu module (e.g., with modprobe -r rtl8xxxu) until the fix is available."], "summary": {"action": "Immediate Patch", "impact": "Memory corruption via slab\u2011out\u2011of\u2011bounds write, potentially exposing the kernel to loss of integrity or privilege escalation"}, "threat_synthesis": {"affected_systems": "Linux kernel systems that use the rtl8xxxu driver \u2013 notably kernel distributions that ship this driver as part of the standard kernel module set. The impact applies to all supported kernel versions that lack the patch setting hw->sta_data_size during probe, with particular exposure on architectures such as RISC\u2011V where the bug was reproduced.", "description_and_impact": "The rtl8xxxu wireless driver fails to set the hardware station data size, causing mac80211 to allocate insufficient memory for driver private station data. When the driver subsequently accesses this memory, a slab\u2011out\u2011of\u2011bounds write occurs, as confirmed by a KASAN report on VisionFive 2. This overflow can corrupt kernel memory and may lead to loss of integrity or privilege escalation if exploited. The associated weaknesses are identified as CWE\u2011476 (null pointer dereference) and CWE\u2011787 (out\u2011of\u2011bounds read or write).", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high level of severity. However, the EPSS score is reported as <\u202f1\u202f%, showing a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to be able to influence the driver\u2019s operation, likely by sending crafted management frames or manipulating the wireless interface, which is a local or remote attack vector depending on device configuration. Given the low EPSS, immediate risk to unpatched systems is moderate but could increase if the flaw becomes widely exploited."}}}}, "created": "2026-02-19T10:11:54.445243+00:00", "updated": "2026-04-20T19:00:10.674223+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}