Cyber Resilience

CVE-2025-71234

High

Published: 18 February 2026

Published
18 February 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71234 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-71234 is a slab-out-of-bounds write vulnerability in the Linux kernel's rtl8xxxu WiFi driver. The issue arises because the driver fails to set hw->sta_data_size, causing the mac80211 subsystem to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of struct rtl8xxxu_sta_info via sta->drv_priv, it triggers the out-of-bounds write. This affects Linux kernel instances using the rtl8xxxu driver, such as with RTL8192EU adapters, and was detected via KASAN on RISC-V platforms like the StarFive VisionFive 2 board.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) through the out-of-bounds write (CWE-787), potentially allowing arbitrary code execution, data corruption, or system crashes within the kernel context.

Mitigation is provided via upstream kernel patches, which fix the issue by setting hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during probe, mirroring the configuration of hw->vif_data_size. Relevant commits include https://git.kernel.org/stable/c/116f7bd8160c6b37d1c6939385abf90f6f6ed2f5, https://git.kernel.org/stable/c/5d810ba377eddee95d30766d360a14efbb3d1872, https://git.kernel.org/stable/c/86c946bcc00f6390ef65e9614ae60a9377e454f8, and https://git.kernel.org/stable/c/9a0f3fa6ecd0c9c32dbc367a57482bbf7c7d25bf. Security practitioners should update affected kernels and verify rtl8xxxu usage in their environments.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members…

more

of struct rtl8xxxu_sta_info through sta->drv_priv, this results in a slab-out-of-bounds write. KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter: BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346 Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12 Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during probe, similar to how hw->vif_data_size is configured. This ensures mac80211 allocates sufficient space for the driver's per-station private data. Tested on StarFive VisionFive 2 v1.2A board.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel OOB write in rtl8xxxu driver directly enables privilege escalation to root via arbitrary code execution or corruption (CWE-787).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.9 — 6.12.72 · 6.13 — 6.18.11 · 6.19 — 6.19.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the slab-out-of-bounds write by applying upstream kernel patches that set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info), ensuring sufficient allocation for driver private station data.

prevent

Implements kernel memory protection mechanisms like KASLR, SMEP/SMAP, and slab randomization that prevent exploitation of the out-of-bounds write in rtl8xxxu_sta_add accessing sta->drv_priv.

detect

Vulnerability scanning detects affected kernel versions using the rtl8xxxu driver, enabling identification and remediation of this specific slab-out-of-bounds flaw.

References