CVE-2025-71273 Overview
CVE-2025-71273 is a memory leak vulnerability in the Linux kernel's rtw88 Wi-Fi driver. The flaw resides in the rtw_set_supported_band() function, where supported band allocations are not freed in the error path of rtw_register_hw(). Maintainers resolved the issue by converting the allocation to use device-managed memory through devm_kmemdup(), mirroring an earlier fix applied to the related rtw89 driver in commit 145df52a8671.
Critical Impact
Repeated driver registration failures can exhaust kernel memory on systems using Realtek rtw88-supported wireless adapters, degrading host stability over time.
Affected Products
- Linux kernel versions containing the rtw88 Wi-Fi driver prior to the fix commits
- Systems using Realtek wireless chipsets supported by the rtw88 driver
- Distributions shipping the affected stable kernel branches
Discovery Timeline
- 2026-05-06 - CVE-2025-71273 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-71273
Vulnerability Analysis
The vulnerability is a memory leak [CWE-401] in the rtw88 Wi-Fi driver. During hardware registration, rtw_set_supported_band() allocates kernel memory to hold copies of the supported 2.4 GHz and 5 GHz band structures used by the ieee80211 subsystem. When rtw_register_hw() encounters an error after these allocations succeed, the error path returns without releasing the duplicated band buffers.
Each failed registration attempt leaks the buffers permanently because no reference is retained after the error return. On systems where the driver retries probing, performs repeated module load and unload cycles, or experiences transient initialization failures, leaked allocations accumulate in kernel memory.
The upstream fix replaces the manual kmemdup() allocation with devm_kmemdup(). Device-managed allocations are automatically released by the kernel when the associated struct device is detached, eliminating the manual cleanup requirement and the corresponding error-path bug.
Root Cause
The root cause is missing cleanup logic in the error path of rtw_register_hw(). The code allocated band copies through kmemdup() but did not call kfree() on those buffers when subsequent registration steps failed. The fix copies the same approach used in the rtw89 driver, where rtw89_core_set_supported_band was migrated to devm_* allocators.
Attack Vector
This is a local reliability and resource-exhaustion issue rather than a remotely reachable vulnerability. Triggering the leak requires conditions that cause rtw_register_hw() to fail after band allocation, such as repeated driver reloads, hardware initialization errors, or constrained system states. An attacker with the ability to load and unload kernel modules or to influence driver probe outcomes could amplify memory pressure on the host.
No public proof-of-concept exploit is available, and the EPSS probability is very low. The vulnerability is corrected in the kernel commits referenced in the kernel.org stable tree.
Detection Methods for CVE-2025-71273
Indicators of Compromise
- Gradual increase in unaccounted kernel slab memory on hosts using rtw88-supported Wi-Fi hardware
- Recurring rtw_register_hw() failure messages in dmesg or the systemd journal
- Repeated load and unload cycles of the rtw88_core, rtw88_pci, or rtw88_usb modules
Detection Strategies
- Compare the running kernel version against the fixed commits 1bd90e0a99fd, 2ba12401cc1f, 9b5418070ee8, and ad9b80ee310e in the stable tree
- Inspect /proc/slabinfo and /proc/meminfo for sustained growth in kmalloc-* caches correlated with Wi-Fi driver activity
- Audit kernel logs for repeated rtw88 probe or registration errors that would exercise the leaking error path
Monitoring Recommendations
- Track kernel package versions across the fleet and flag hosts running unpatched rtw88-bearing kernels
- Alert on abnormal kernel memory growth on endpoints with Realtek wireless adapters
- Forward dmesg and module load events to a central logging platform for trend analysis
How to Mitigate CVE-2025-71273
Immediate Actions Required
- Upgrade affected hosts to a Linux kernel that includes the upstream rtw88 fix commits referenced by the kernel.org advisory
- Apply the corresponding stable kernel updates from your distribution vendor as soon as they are published
- Reboot patched systems to ensure the corrected driver is loaded
Patch Information
The issue is resolved by converting rtw_set_supported_band() to use devm_kmemdup(). The fix is available in the following stable kernel commits: 1bd90e0a99fd, 2ba12401cc1f, 9b5418070ee8, and ad9b80ee310e.
Workarounds
- On systems that do not require Realtek Wi-Fi, blacklist the rtw88 driver modules until the kernel is updated
- Avoid scripted or automated repeated reloading of rtw88_core, rtw88_pci, and rtw88_usb modules
- Reboot hosts that have accumulated kernel memory growth to reclaim leaked allocations as a temporary measure
# Verify the running kernel and check for the rtw88 module
uname -r
lsmod | grep rtw88
# Temporarily prevent the driver from loading until the kernel is patched
echo 'blacklist rtw88_pci' | sudo tee /etc/modprobe.d/rtw88.conf
echo 'blacklist rtw88_usb' | sudo tee -a /etc/modprobe.d/rtw88.conf
echo 'blacklist rtw88_core' | sudo tee -a /etc/modprobe.d/rtw88.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
