CVE-2025-71297 Overview
CVE-2025-71297 is a kernel vulnerability in the Linux rtw88 WiFi driver for Realtek 8822B chipsets. The flaw resides in rtw8822b_set_antenna(), which can be invoked from userspace through netlink calls such as iw set antenna even when the chip is powered off. When triggered in this state, rtw8822b_config_trx_mode() attempts to read RF registers and returns unexpected values, causing a kernel WARNING. Local unprivileged users with access to the wireless interface can repeatedly trigger this condition, leading to log spam and potential availability impact on affected systems.
Critical Impact
Local users can trigger a kernel WARNING in the rtw88 8822b driver by setting antenna configuration while the chip is powered off, affecting system availability.
Affected Products
- Linux Kernel (multiple stable branches prior to fixes)
- Systems using Realtek RTW8822B WiFi chipsets with the rtw88_8822b driver
- Distributions shipping vulnerable kernel versions, including Arch Linux kernel 6.17.5-arch1-1
Discovery Timeline
- 2026-05-08 - CVE-2025-71297 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-71297
Vulnerability Analysis
The vulnerability lives in drivers/net/wireless/realtek/rtw88/rtw8822b.c at the rtw8822b_config_trx_mode() function. The function writes RF mode tables and verifies the writes by reading back RF registers. When the underlying chip is powered off, register reads return invalid values, triggering the WARN macro with the message write RF mode table fail at line 824.
The call path begins in userspace through the nl80211 netlink interface. A nl80211_set_wiphy request flows through cfg80211, into mac80211's ieee80211_set_antenna, then through rtw_ops_set_antenna and finally rtw8822b_set_antenna, which unconditionally calls rtw8822b_config_trx_mode().
This condition produces a kernel taint (W flag) and a full stack trace in dmesg. Repeated invocation amplifies log volume and can interfere with system monitoring or trigger panic-on-warn configurations.
Root Cause
The root cause is missing state validation in rtw8822b_set_antenna(). The function does not check the chip power state before invoking rtw8822b_config_trx_mode(). The configuration routine assumes the RF hardware is reachable and emits a WARNING when readback fails. Userspace can reach this path without elevated privileges beyond standard network configuration capabilities.
Attack Vector
The attack vector is local. A user with permission to invoke iw or send nl80211 netlink messages can repeatedly call set antenna while the WiFi interface is in a powered-off state. The fix, applied across multiple stable branches in commits 0d0c2fb, 44510ff, 44d1f62, 509beca, 7852ca1, and a96d161, guards the rtw8822b_config_trx_mode() call so it only runs when the chip is powered on.
No public exploit code is required to reproduce the issue beyond standard wireless tooling. The vulnerability does not enable code execution or information disclosure, and its primary impact is availability through log flooding or panic-on-warn behavior.
Detection Methods for CVE-2025-71297
Indicators of Compromise
- Kernel log entries containing the string write RF mode table fail originating from the rtw88_8822b module
- WARNING traces in dmesg referencing rtw8822b_config_trx_mode.constprop.0 at offset +0x835/0x840
- Kernel taint flag W appearing alongside rtw88_8822b and rtw88_core module names
Detection Strategies
- Monitor /var/log/kern.log and journald for repeated rtw8822b_config_trx_mode WARNING entries tied to iw or other nl80211 clients
- Audit running kernel versions against the fixed commits listed in the git.kernel.org advisories to identify unpatched hosts
- Track invocations of ieee80211_set_antenna via eBPF tracing on hosts using Realtek 8822B hardware
Monitoring Recommendations
- Forward kernel warnings to a centralized logging platform and alert on rtw88 module taint events
- Inventory endpoints with rtw88_8822b loaded using lsmod checks pushed through configuration management
- Correlate netlink wireless configuration changes with subsequent kernel WARNING events to identify abuse
How to Mitigate CVE-2025-71297
Immediate Actions Required
- Update the Linux kernel to a version containing one of the fix commits: 0d0c2fb, 44510ff, 44d1f62, 509beca, 7852ca1, or a96d161
- Restrict access to wireless configuration utilities such as iw on multi-user systems by limiting CAP_NET_ADMIN
- Disable panic_on_warn on production hosts where this WARNING could cause unintended reboots
Patch Information
The upstream fix modifies rtw8822b_set_antenna() to invoke rtw8822b_config_trx_mode() only when the chip is powered on. Patches are available in the stable tree via the Linux Kernel Commit 0d0c2fb, Linux Kernel Commit 44510ff, Linux Kernel Commit 44d1f62, Linux Kernel Commit 509beca, Linux Kernel Commit 7852ca1, and Linux Kernel Commit a96d161. Apply the distribution kernel update that corresponds to your branch.
Workarounds
- Unload the rtw88_8822b module with modprobe -r rtw88_8822b on systems where the WiFi adapter is unused
- Prevent unprivileged users from running iw and related nl80211 clients through sudoers and capability restrictions
- Keep the wireless interface powered on during antenna configuration changes to avoid triggering the WARNING path
# Verify whether the rtw88_8822b driver is loaded
lsmod | grep rtw88_8822b
# Temporarily blacklist the driver until a patched kernel is deployed
echo 'blacklist rtw88_8822b' | sudo tee /etc/modprobe.d/blacklist-rtw88.conf
sudo update-initramfs -u
# Confirm the running kernel version against fixed commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

