CVE-2026-36355 Overview
CVE-2026-36355 affects the rtl8192cd Wi-Fi kernel driver shipped in the Realtek rtl819x Jungle Software Development Kit (SDK), including all known versions through v3.4.14B. The driver exposes two debug ioctl handlers, write_mem (0x89F5) and read_mem (0x89F6), without performing any access control checks. These handlers are compiled into production builds because the _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h is unconditionally defined. A local attacker can read from and write to arbitrary kernel memory through these ioctls, breaking confidentiality and integrity of the device.
Critical Impact
Local users on affected devices can read and write arbitrary kernel memory through unprivileged ioctl calls, enabling credential theft and privilege escalation on Realtek-based Wi-Fi routers and access points.
Affected Products
- Realtek rtl8192cd Wi-Fi kernel driver
- Realtek rtl819x Jungle SDK, all versions through v3.4.14B
- Network devices and consumer routers built on the Realtek rtl819x platform
Discovery Timeline
- 2026-05-05 - CVE-2026-36355 published to the National Vulnerability Database (NVD)
- 2026-05-07 - Last updated in NVD
Technical Details for CVE-2026-36355
Vulnerability Analysis
The rtl8192cd driver registers debug ioctl handlers intended for development and validation. The write_mem handler at ioctl number 0x89F5 accepts a kernel address and writes attacker-supplied bytes to that address. The read_mem handler at 0x89F6 returns kernel memory contents from any address provided by the caller. Neither handler validates the caller's privilege level, capabilities, or namespace. The handlers also accept arbitrary pointers without bounds checking against valid kernel mappings.
This behavior is classified as exposure of sensitive information to an unauthorized actor [CWE-200], although the practical impact extends to arbitrary kernel write primitives. The vulnerability requires local access to the device, such as a shell session on the router or an unprivileged process on systems that bridge user input to the driver.
Root Cause
The root cause is the unconditional definition of the _IOCTL_DEBUG_CMD_ preprocessor macro in 8192cd_cfg.h. This macro gates the inclusion of the debug ioctl handlers at compile time. Because the macro is always defined, every production build of the SDK ships with the debug interface enabled. The handlers themselves omit calls to capable(), CAP_SYS_RAWIO, or any equivalent access control check before performing the requested memory operation.
Attack Vector
An attacker with local access opens the Wi-Fi network device, for example through socket(AF_INET, SOCK_DGRAM, 0), and issues ioctl() with command 0x89F6 to read kernel memory or 0x89F5 to write to it. The attacker can locate kernel structures such as cred objects, overwrite uid fields, and elevate privileges. The same primitive enables extraction of cryptographic keys, configuration secrets, and Wi-Fi Protected Access (WPA) passphrases from kernel memory. Public proof-of-concept material is available in the GitHub CVE-2026-36355 repository.
Detection Methods for CVE-2026-36355
Indicators of Compromise
- Unexpected ioctl() syscalls with command numbers 0x89F5 or 0x89F6 issued against rtl8192cd interface names such as wlan0 or rai0
- Unprivileged processes opening raw network sockets and immediately issuing device-specific ioctls
- Anomalous changes to process credentials or sudden privilege transitions on embedded Realtek-based devices
Detection Strategies
- Audit ioctl syscalls on Linux-based router firmware using auditd or eBPF probes filtering on commands 0x89F5 and 0x89F6
- Inspect firmware images for the _IOCTL_DEBUG_CMD_ build artifact and the write_mem and read_mem symbols in the rtl8192cd module
- Monitor for unexpected kernel module loads and integrity changes on production routers
Monitoring Recommendations
- Forward router and access point logs to a central data lake and alert on local shell access from non-administrative accounts
- Track failed and successful authentication attempts on management interfaces of Realtek-based devices
- Establish baselines for ioctl activity on managed embedded devices and alert on deviation
How to Mitigate CVE-2026-36355
Immediate Actions Required
- Identify all network devices using the Realtek rtl819x Jungle SDK and the rtl8192cd driver in inventory
- Restrict local and shell access to affected devices to administrators only
- Disable serial, Telnet, and SSH services on routers exposed to untrusted users
- Segment vulnerable devices on isolated management networks until a vendor patch is available
Patch Information
No vendor patch is referenced in the NVD entry at the time of publication. Device integrators should rebuild the SDK with the _IOCTL_DEBUG_CMD_ macro removed from 8192cd_cfg.h or add a capable(CAP_SYS_RAWIO) check to the write_mem and read_mem handlers. Consult the Realtek official website for SDK updates and contact the device manufacturer for firmware revisions.
Workarounds
- Rebuild the rtl8192cd driver without the _IOCTL_DEBUG_CMD_ macro to remove the debug ioctl handlers entirely
- Add a privilege check requiring CAP_SYS_RAWIO at the entry of write_mem and read_mem if rebuilding without the macro is not feasible
- Restrict access to the Wi-Fi network interface device nodes through filesystem permissions where the platform allows
# Configuration example: rebuild guidance for integrators
# In drivers/net/wireless/rtl8192cd/8192cd_cfg.h, remove or guard:
# #define _IOCTL_DEBUG_CMD_
# Then rebuild the kernel module:
make -C /path/to/kernel M=$(pwd)/rtl8192cd clean
make -C /path/to/kernel M=$(pwd)/rtl8192cd modules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
