{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31626", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.124Z", "datePublished": "2026-04-24T14:42:47.493Z", "dateUpdated": "2026-05-11T22:12:26.892Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:26.892Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()\n\nInitialize le_tmp64 to zero in rtw_BIP_verify() to prevent using\nuninitialized data.\n\nSmatch warns that only 6 bytes are copied to this 8-byte (u64)\nvariable, leaving the last two bytes uninitialized:\n\ndrivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()\nwarn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)\n\nInitializing the variable at the start of the function fixes this\nwarning and ensures predictable behavior."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/staging/rtl8723bs/core/rtw_security.c"], "versions": [{"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b", "lessThan": "c65ee4d3be5df395e48afbcd0946dd5fce4338a9", "status": "affected", "versionType": "git"}, {"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b", "lessThan": "d5b8f5f8d6fc09a8af5ed139c688660f578ed732", "status": "affected", "versionType": "git"}, {"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b", "lessThan": "b487a7754d874230299d5a9c2710ec4df8b2ed8a", "status": "affected", "versionType": "git"}, {"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b", "lessThan": "c2026c6b603ebec52f55015496703fe79077accf", "status": "affected", "versionType": "git"}, {"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b", "lessThan": "ef74ce5f0bc0e53ce702d8a794f3957884a26efc", "status": "affected", "versionType": "git"}, {"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b", "lessThan": "8c964b82a4e97ec7f25e17b803ee196009b38a57", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/staging/rtl8723bs/core/rtw_security.c"], "versions": [{"version": "4.12", "status": "affected"}, {"version": "0", "lessThan": "4.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c65ee4d3be5df395e48afbcd0946dd5fce4338a9"}, {"url": "https://git.kernel.org/stable/c/d5b8f5f8d6fc09a8af5ed139c688660f578ed732"}, {"url": "https://git.kernel.org/stable/c/b487a7754d874230299d5a9c2710ec4df8b2ed8a"}, {"url": "https://git.kernel.org/stable/c/c2026c6b603ebec52f55015496703fe79077accf"}, {"url": "https://git.kernel.org/stable/c/ef74ce5f0bc0e53ce702d8a794f3957884a26efc"}, {"url": "https://git.kernel.org/stable/c/8c964b82a4e97ec7f25e17b803ee196009b38a57"}], "title": "staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "022BB187-782F-49F9-A3AE-9DCC0B6012CE", "versionEndExcluding": "6.6.136", "versionStartIncluding": "4.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()\n\nInitialize le_tmp64 to zero in rtw_BIP_verify() to prevent using\nuninitialized data.\n\nSmatch warns that only 6 bytes are copied to this 8-byte (u64)\nvariable, leaving the last two bytes uninitialized:\n\ndrivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()\nwarn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)\n\nInitializing the variable at the start of the function fixes this\nwarning and ensures predictable behavior."}], "id": "CVE-2026-31626", "lastModified": "2026-04-27T20:49:50.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:41.907", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8c964b82a4e97ec7f25e17b803ee196009b38a57"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b487a7754d874230299d5a9c2710ec4df8b2ed8a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c2026c6b603ebec52f55015496703fe79077accf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c65ee4d3be5df395e48afbcd0946dd5fce4338a9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d5b8f5f8d6fc09a8af5ed139c688660f578ed732"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ef74ce5f0bc0e53ce702d8a794f3957884a26efc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()", "id": "2461466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461466"}, "csaw": false, "cwe": "CWE-908", "details": ["A flaw was found in the Linux kernel's rtl8723bs Wi-Fi driver. This vulnerability occurs within the rtw_BIP_verify() function, where a variable is not fully initialized, leaving two bytes with unpredictable values. This uninitialized data can lead to unpredictable system behavior, potentially resulting in a denial of service (DoS) or information disclosure."], "name": "CVE-2026-31626", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31626\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31626\nhttps://lore.kernel.org/linux-cve-announce/2026042427-CVE-2026-31626-2085@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[554c0a3abf216c991c5ebddcdb2c08689ecd290b,c65ee4d3be5df395e48afbcd0946dd5fce4338a9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[554c0a3abf216c991c5ebddcdb2c08689ecd290b,d5b8f5f8d6fc09a8f5ed139c688660f578ed732)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[554c0a3abf216c991c5ebddcdb2c08689ecd290b,b487a7754d874230299d5a9c2710ec4df8b2ed8a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[554c0a3abf216c991c5ebddcdb2c08689ecd290b,c2026c6b603ebec52f55015496703fe79077accf)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[554c0a3abf216c991c5ebddcdb2c08689ecd290b,ef74ce5f0bc0e53ce702d8a794f3957884a26efc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[554c0a3abf216c991c5ebddcdb2c08689ecd290b,8c964b82a4e97ec7f25e17b803ee196009b38a57)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.12"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,4.12)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T02:19:46.063618+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that incorporates the rtw_BIP_verify() bug fix which zero\u2011initializes the le_tmp64 variable.", "If using a custom or older kernel, apply the patch that adds the initialization to rtl8723bs/rtw_security.c or backport the commit to the running kernel.", "If an immediate update cannot be applied, disable or remove the rtl8723bs staging driver to eliminate the vulnerable code path."], "summary": {"action": "Patch", "impact": "Uninitialized memory usage in the rtl8723bs driver can cause unpredictable kernel behavior"}, "threat_synthesis": {"affected_systems": "Any Linux kernel that includes the staging rtl8723bs driver is affected, independent of version. The vulnerability is present in the code path until the commit that adds the initialization is incorporated. The affected product is the Linux kernel across all distributions shipping this driver, as identified by the CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:", "description_and_impact": "The rtl8723bs wireless driver in the Linux kernel contains an uninitialized memory condition in the function rtw_BIP_verify(). The driver copies only six bytes into an eight\u2011byte u64 variable le_tmp64, leaving the upper two bytes undefined. When the variable is used later, the unpredictable content can affect calculations or state transitions in the driver, potentially causing kernel instability or incorrect behavior. The fix initializes the variable to zero before it is used, removing the undefined data.", "risk_and_exploitability": "The CVSS score of 7.1 signals moderate severity, while the EPSS score of less than 1% indicates a very low likelihood of exploitation. The vulnerability is not listed in CISA KEV. No explicit attack vector is documented; based on the description, exploitation would likely require local or privileged access to manipulate the driver or load it, making the risk to exposed hosts low under typical conditions."}}}}, "created": "2026-04-27T18:45:11.327292+00:00", "updated": "2026-04-29T02:30:07.570769+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}