CVE-2026-23073

HIGH EPSS 2.9%
Published Feb 4, 20264mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥3.15  –  <5.10.249
linuxlinux_kernel*≥5.11  –  <5.15.199
linuxlinux_kernel*≥5.16  –  <6.1.162
linuxlinux_kernel*≥6.2  –  <6.6.122
linuxlinux_kernel*≥6.7  –  <6.12.68
linuxlinux_kernel*≥6.13  –  <6.18.8
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/31efbcff90884ea5f65bf3d1de01267db51ee3d1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/49ef094fdbc3526e5db2aebb404b84f79c5603dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4f431d88ea8093afc7ba55edf4652978c5a68f33
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7761d7801f40e61069b4df3db88b36d80d089f8a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/99129d80a5d4989ef8566f434f3589f60f28042b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/31efbcff90884ea5f65bf3d1de01267db51ee3d1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/49ef094fdbc3526e5db2aebb404b84f79c5603dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4f431d88ea8093afc7ba55edf4652978c5a68f33
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7761d7801f40e61069b4df3db88b36d80d089f8a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/99129d80a5d4989ef8566f434f3589f60f28042b
    Patch