CVE-2025-71100 Overview
A vulnerability has been discovered in the Linux kernel's rtlwifi driver for Realtek 8192CU wireless network adapters. The issue exists in the rtl92cu_tx_fill_desc() function where the Traffic Identifier (TID) value obtained from ieee80211_get_tid() may exceed the bounds of the sta_entry->tids[] array, leading to an out-of-bounds array access. This vulnerability was identified through UBSAN (Undefined Behavior Sanitizer) warnings indicating that index 10 is out of range for an array of type rtl_tid_data [9].
Critical Impact
Out-of-bounds array access in the Linux kernel wireless driver can lead to undefined behavior, potential information disclosure, or system instability when using Realtek 8192CU USB wireless adapters.
Affected Products
- Linux kernel with rtlwifi module (rtl8192cu driver)
- Systems using Realtek RTL8192CU USB wireless adapters
- Various Linux distributions running affected kernel versions
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71100 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71100
Vulnerability Analysis
The vulnerability resides in the transmission path of the rtl8192cu wireless driver within the Linux kernel. The rtl92cu_tx_fill_desc() function retrieves a TID value using the ieee80211_get_tid() function from incoming network frames. This TID is then used to index into the sta_entry->tids[] array, which has a fixed size defined by MAX_TID_COUNT.
The issue occurs because the code does not validate that the returned TID value falls within the valid range of array indices. IEEE 802.11 TID values can range from 0-15, but the rtl_tid_data array only accommodates 9 entries (indices 0-8). When a TID value of 10 or higher is encountered, it results in an out-of-bounds array access at drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30.
Root Cause
The root cause is a missing bounds check in the rtl92cu_tx_fill_desc() function. The code directly uses the TID value returned by ieee80211_get_tid() as an array index without first verifying that it is less than MAX_TID_COUNT. This is a classic input validation error where an external value is used without proper boundary validation.
Attack Vector
The vulnerability is triggered through normal wireless network operations when the driver processes frames with high TID values. While the attack vector is not clearly defined in the available data, the vulnerability could potentially be exploited by:
Crafted wireless frames containing TID values outside the expected range could trigger the out-of-bounds access. An attacker within wireless range could potentially send specially crafted 802.11 frames to a system using the vulnerable driver, causing undefined behavior in the kernel. The practical exploitability depends on the specific memory layout and what data resides adjacent to the tids[] array.
Detection Methods for CVE-2025-71100
Indicators of Compromise
- UBSAN warnings in kernel logs containing "array-index-out-of-bounds" referencing rtl8192cu/trx.c
- Kernel log messages indicating issues with the rtlwifi or rtl8192cu modules
- Unexpected system crashes or instability when using Realtek 8192CU wireless adapters
Detection Strategies
- Monitor kernel logs (dmesg) for UBSAN sanitizer warnings related to the rtlwifi driver
- Enable kernel address sanitizer (KASAN) and undefined behavior sanitizer (UBSAN) for enhanced runtime detection
- Review system crash dumps for stack traces originating from the rtl92cu_tx_fill_desc() function
Monitoring Recommendations
- Configure centralized logging to capture kernel-level warnings and errors across affected systems
- Implement automated alerting for UBSAN or KASAN warnings in production environments
- Monitor network interface stability on systems using Realtek 8192CU adapters
How to Mitigate CVE-2025-71100
Immediate Actions Required
- Update to a patched Linux kernel version that includes the TID bounds check fix
- If updates are not immediately available, consider temporarily disabling or replacing Realtek 8192CU wireless adapters
- Monitor affected systems for signs of exploitation or instability
Patch Information
The Linux kernel development team has released patches to address this vulnerability. The fix adds a bounds check to ensure the TID value is less than MAX_TID_COUNT before using it as an array index. The patches are available in the stable kernel tree:
Workarounds
- Use an alternative wireless adapter with a different driver until the system can be patched
- Blacklist the rtl8192cu module if the adapter is not required for operations
- Limit wireless network exposure by connecting affected systems via wired Ethernet when possible
# Temporarily blacklist the vulnerable driver module
echo "blacklist rtl8192cu" | sudo tee /etc/modprobe.d/blacklist-rtl8192cu.conf
sudo modprobe -r rtl8192cu
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
