CVE-2026-43213 Overview
CVE-2026-43213 is a null pointer dereference vulnerability in the Linux kernel's rtw89 PCI Wi-Fi driver. The flaw resides in the TX release report handling logic, where hardware can occasionally report an abnormal sequence number. When this occurs, the driver accesses out-of-bounds memory in the wd_ring->pages array, triggering a kernel oops in rtw89_pci_release_tx. The vulnerability has been resolved upstream by validating rpp_info.seq before it is used as an index. Affected systems use Realtek 802.11ax (Wi-Fi 6) chipsets supported by the rtw89_pci driver.
Critical Impact
Triggering the abnormal hardware condition causes a kernel NULL pointer dereference and system crash, resulting in denial of service on affected Linux hosts.
Affected Products
- Linux kernel versions containing the rtw89_pci driver prior to the fix commits
- Systems using Realtek Wi-Fi 6/6E chipsets handled by the rtw89 driver family
- Distributions shipping vulnerable stable kernels referenced by the upstream patches
Discovery Timeline
- 2026-05-06 - CVE-2026-43213 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43213
Vulnerability Analysis
The rtw89 PCI driver processes TX release reports generated by the Wi-Fi hardware to free transmitted descriptors. Each report carries a sequence number (rpp_info.seq) that the driver uses as an index into the wd_ring->pages array. The driver did not validate this sequence number before dereferencing the resulting pointer. When the hardware reports an out-of-range value, the lookup returns memory outside the array, and a subsequent dereference yields a NULL pointer access.
The crash signature shows a supervisor read at address 0x0000000000000000 reached through rtw89_pci_release_tx during NAPI polling and softirq processing. The bug is reachable through the normal interrupt path (rtw89_pci_interrupt_threadfn → rtw89_pci_napi_poll → rtw89_pci_release_tx), so exploitation does not require privileged userspace activity. It triggers whenever the hardware emits a malformed report, which the commit message describes as rare but reproducible.
Root Cause
The root cause is missing input validation on hardware-supplied data ([CWE-476] NULL Pointer Dereference combined with out-of-bounds array access). The driver trusted the rpp_info.seq field returned by the device and used it directly as an array index into wd_ring->pages. Because the array is sized to the descriptor ring, any sequence number outside that range produces an invalid pointer.
Attack Vector
The attack vector is local to the host's Wi-Fi data path. The fault originates from the PCIe Wi-Fi device rather than from network traffic, and the impact is denial of service through a kernel oops. There are no public reports of remote exploitation, weaponized proof-of-concept code, or inclusion in the CISA Known Exploited Vulnerabilities catalog. The upstream resolution adds a bounds check on rpp_info.seq before the driver dereferences the corresponding pages entry, preventing the crash. See the upstream fix in Kernel Git Commit 957eda5, Kernel Git Commit b342dd1, and Kernel Git Commit ef7fa19.
Detection Methods for CVE-2026-43213
Indicators of Compromise
- Kernel oops messages referencing rtw89_pci_release_tx and rtw89_pci_napi_poll in dmesg or /var/log/kern.log
- BUG: kernel NULL pointer dereference, address: 0000000000000000 entries in PREEMPT SMP kernel logs on hosts using the rtw89_pci module
- Unexpected reboots or hangs correlated with Wi-Fi traffic on systems using Realtek Wi-Fi 6 adapters
Detection Strategies
- Inventory hosts loading the rtw89_pci kernel module and compare running kernel versions against the fixed stable releases referenced by the upstream commits.
- Parse kernel ring buffers for crash signatures matching the rtw89_pci_release_tx call trace published in the advisory.
- Track package versions of linux-image-* across the fleet to identify systems that have not received the patched kernel.
Monitoring Recommendations
- Forward kern.log and journalctl -k output to a centralized log platform and alert on rtw89_pci panics or repeated NAPI failures.
- Monitor host availability metrics for Linux endpoints with Realtek Wi-Fi adapters to detect crash-loop patterns.
- Track Wi-Fi interface flaps and NETDEV_UNREGISTER events that may follow a driver fault.
How to Mitigate CVE-2026-43213
Immediate Actions Required
- Upgrade affected Linux systems to a kernel build that includes commits 957eda5, b342dd1, or ef7fa19 from the stable tree.
- Identify hosts running the rtw89_pci driver using lsmod | grep rtw89 and prioritize patching for laptops and embedded devices in that set.
- Reboot patched systems to ensure the fixed module is loaded; live-patching frameworks may not cover driver code paths.
Patch Information
The vulnerability is fixed upstream by validating rpp_info.seq before indexing wd_ring->pages. Apply the stable kernel updates referenced in Kernel Git Commit 957eda5, Kernel Git Commit b342dd1, and Kernel Git Commit ef7fa19. Distribution maintainers should ship the corresponding linux-image package updates, and downstream vendors maintaining out-of-tree backports of rtw89_pci should rebase onto the patched source.
Workarounds
- Blacklist the rtw89_pci module on hosts that do not require Realtek Wi-Fi 6 connectivity by adding blacklist rtw89_pci to /etc/modprobe.d/.
- Switch affected endpoints to wired Ethernet or to an alternative USB Wi-Fi adapter handled by a different driver until the kernel update is deployed.
- Disable the Wi-Fi radio in firmware or via rfkill block wifi on systems where wireless connectivity is non-essential.
# Configuration example
# Verify whether the vulnerable driver is loaded
lsmod | grep rtw89_pci
# Temporarily unload the driver
sudo modprobe -r rtw89_pci
# Persistently blacklist until patched kernel is installed
echo 'blacklist rtw89_pci' | sudo tee /etc/modprobe.d/cve-2026-43213.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
