Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71297

CVE-2025-71297: Linux Kernel Privilege Escalation Flaw

CVE-2025-71297 is a privilege escalation vulnerability in the Linux Kernel's rtw88 WiFi driver that triggers warnings when antenna settings are modified while the chip is powered off. This article covers technical details, impact, and fixes.

Published:

CVE-2025-71297 Overview

CVE-2025-71297 is a kernel vulnerability in the Linux rtw88 WiFi driver for Realtek 8822B chipsets. The flaw resides in rtw8822b_set_antenna(), which can be invoked from userspace through netlink calls such as iw set antenna even when the chip is powered off. When triggered in this state, rtw8822b_config_trx_mode() attempts to read RF registers and returns unexpected values, causing a kernel WARNING. Local unprivileged users with access to the wireless interface can repeatedly trigger this condition, leading to log spam and potential availability impact on affected systems.

Critical Impact

Local users can trigger a kernel WARNING in the rtw88 8822b driver by setting antenna configuration while the chip is powered off, affecting system availability.

Affected Products

  • Linux Kernel (multiple stable branches prior to fixes)
  • Systems using Realtek RTW8822B WiFi chipsets with the rtw88_8822b driver
  • Distributions shipping vulnerable kernel versions, including Arch Linux kernel 6.17.5-arch1-1

Discovery Timeline

  • 2026-05-08 - CVE-2025-71297 published to NVD
  • 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2025-71297

Vulnerability Analysis

The vulnerability lives in drivers/net/wireless/realtek/rtw88/rtw8822b.c at the rtw8822b_config_trx_mode() function. The function writes RF mode tables and verifies the writes by reading back RF registers. When the underlying chip is powered off, register reads return invalid values, triggering the WARN macro with the message write RF mode table fail at line 824.

The call path begins in userspace through the nl80211 netlink interface. A nl80211_set_wiphy request flows through cfg80211, into mac80211's ieee80211_set_antenna, then through rtw_ops_set_antenna and finally rtw8822b_set_antenna, which unconditionally calls rtw8822b_config_trx_mode().

This condition produces a kernel taint (W flag) and a full stack trace in dmesg. Repeated invocation amplifies log volume and can interfere with system monitoring or trigger panic-on-warn configurations.

Root Cause

The root cause is missing state validation in rtw8822b_set_antenna(). The function does not check the chip power state before invoking rtw8822b_config_trx_mode(). The configuration routine assumes the RF hardware is reachable and emits a WARNING when readback fails. Userspace can reach this path without elevated privileges beyond standard network configuration capabilities.

Attack Vector

The attack vector is local. A user with permission to invoke iw or send nl80211 netlink messages can repeatedly call set antenna while the WiFi interface is in a powered-off state. The fix, applied across multiple stable branches in commits 0d0c2fb, 44510ff, 44d1f62, 509beca, 7852ca1, and a96d161, guards the rtw8822b_config_trx_mode() call so it only runs when the chip is powered on.

No public exploit code is required to reproduce the issue beyond standard wireless tooling. The vulnerability does not enable code execution or information disclosure, and its primary impact is availability through log flooding or panic-on-warn behavior.

Detection Methods for CVE-2025-71297

Indicators of Compromise

  • Kernel log entries containing the string write RF mode table fail originating from the rtw88_8822b module
  • WARNING traces in dmesg referencing rtw8822b_config_trx_mode.constprop.0 at offset +0x835/0x840
  • Kernel taint flag W appearing alongside rtw88_8822b and rtw88_core module names

Detection Strategies

  • Monitor /var/log/kern.log and journald for repeated rtw8822b_config_trx_mode WARNING entries tied to iw or other nl80211 clients
  • Audit running kernel versions against the fixed commits listed in the git.kernel.org advisories to identify unpatched hosts
  • Track invocations of ieee80211_set_antenna via eBPF tracing on hosts using Realtek 8822B hardware

Monitoring Recommendations

  • Forward kernel warnings to a centralized logging platform and alert on rtw88 module taint events
  • Inventory endpoints with rtw88_8822b loaded using lsmod checks pushed through configuration management
  • Correlate netlink wireless configuration changes with subsequent kernel WARNING events to identify abuse

How to Mitigate CVE-2025-71297

Immediate Actions Required

  • Update the Linux kernel to a version containing one of the fix commits: 0d0c2fb, 44510ff, 44d1f62, 509beca, 7852ca1, or a96d161
  • Restrict access to wireless configuration utilities such as iw on multi-user systems by limiting CAP_NET_ADMIN
  • Disable panic_on_warn on production hosts where this WARNING could cause unintended reboots

Patch Information

The upstream fix modifies rtw8822b_set_antenna() to invoke rtw8822b_config_trx_mode() only when the chip is powered on. Patches are available in the stable tree via the Linux Kernel Commit 0d0c2fb, Linux Kernel Commit 44510ff, Linux Kernel Commit 44d1f62, Linux Kernel Commit 509beca, Linux Kernel Commit 7852ca1, and Linux Kernel Commit a96d161. Apply the distribution kernel update that corresponds to your branch.

Workarounds

  • Unload the rtw88_8822b module with modprobe -r rtw88_8822b on systems where the WiFi adapter is unused
  • Prevent unprivileged users from running iw and related nl80211 clients through sudoers and capability restrictions
  • Keep the wireless interface powered on during antenna configuration changes to avoid triggering the WARNING path
bash
# Verify whether the rtw88_8822b driver is loaded
lsmod | grep rtw88_8822b

# Temporarily blacklist the driver until a patched kernel is deployed
echo 'blacklist rtw88_8822b' | sudo tee /etc/modprobe.d/blacklist-rtw88.conf
sudo update-initramfs -u

# Confirm the running kernel version against fixed commits
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.