CVE-2025-71100
Published: 13 January 2026
Summary
CVE-2025-71100 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through upstream kernel patches directly resolves the array out-of-bounds access in the rtl92cu_tx_fill_desc function by adding the missing TID bounds check.
Enforcing validation of TID inputs prior to array indexing in the WiFi driver prevents the out-of-bounds vulnerability exploitation.
Kernel memory protection mechanisms such as KASLR and SMEP mitigate potential memory corruption from the out-of-bounds array access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel out-of-bounds write in WiFi driver directly enables privilege escalation via memory corruption (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than…
more
MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type 'rtl_tid_data [9]'
Deeper analysisAI
CVE-2025-71100 is an array index out-of-bounds vulnerability in the Linux kernel's rtlwifi driver for the Realtek RTL8192CU WiFi chipset, specifically in the rtl92cu_tx_fill_desc() function within drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c. The issue arises when the TID value obtained from ieee80211_get_tid() exceeds the array size of sta_entry->tids[] (which is limited to 9 elements, corresponding to MAX_TID_COUNT), such as an index of 10, triggering a UBSAN warning for improper validation of array index (CWE-129). The vulnerability was published on 2026-01-13 with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (AV:L/AC:L/PR:L) can exploit this flaw without user interaction and with unchanged scope, potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation involves triggering the out-of-bounds access during WiFi transmit descriptor filling, which could lead to kernel memory corruption, denial of service, or privilege escalation depending on the context.
Mitigation requires applying upstream kernel patches, as detailed in the referenced stable commits: https://git.kernel.org/stable/c/90a15ff324645aa806d81fa349497cd964861b66, https://git.kernel.org/stable/c/9765d6eb8298b07d499cdf9ef7c237d3540102d6, and https://git.kernel.org/stable/c/dd39edb445f07400e748da967a07d5dca5c5f96e. These commits add a bounds check to ensure the TID is less than MAX_TID_COUNT before array access, resolving the out-of-bounds issue.
Details
- CWE(s)