CVE-2025-71234
Published: 18 February 2026
Summary
CVE-2025-71234 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-71234 is a slab-out-of-bounds write vulnerability in the Linux kernel's rtl8xxxu WiFi driver. The issue arises because the driver fails to set hw->sta_data_size, causing the mac80211 subsystem to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of struct rtl8xxxu_sta_info via sta->drv_priv, it triggers the out-of-bounds write. This affects Linux kernel instances using the rtl8xxxu driver, such as with RTL8192EU adapters, and was detected via KASAN on RISC-V platforms like the StarFive VisionFive 2 board.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) through the out-of-bounds write (CWE-787), potentially allowing arbitrary code execution, data corruption, or system crashes within the kernel context.
Mitigation is provided via upstream kernel patches, which fix the issue by setting hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during probe, mirroring the configuration of hw->vif_data_size. Relevant commits include https://git.kernel.org/stable/c/116f7bd8160c6b37d1c6939385abf90f6f6ed2f5, https://git.kernel.org/stable/c/5d810ba377eddee95d30766d360a14efbb3d1872, https://git.kernel.org/stable/c/86c946bcc00f6390ef65e9614ae60a9377e454f8, and https://git.kernel.org/stable/c/9a0f3fa6ecd0c9c32dbc367a57482bbf7c7d25bf. Security practitioners should update affected kernels and verify rtl8xxxu usage in their environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207664
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add The driver does not set hw->sta_data_size, which causes mac80211 to allocate insufficient space for driver private station data in __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members…
more
of struct rtl8xxxu_sta_info through sta->drv_priv, this results in a slab-out-of-bounds write. KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter: BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346 Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12 Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during probe, similar to how hw->vif_data_size is configured. This ensures mac80211 allocates sufficient space for the driver's per-station private data. Tested on StarFive VisionFive 2 v1.2A board.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB write in rtl8xxxu driver directly enables privilege escalation to root via arbitrary code execution or corruption (CWE-787).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the slab-out-of-bounds write by applying upstream kernel patches that set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info), ensuring sufficient allocation for driver private station data.
Implements kernel memory protection mechanisms like KASLR, SMEP/SMAP, and slab randomization that prevent exploitation of the out-of-bounds write in rtl8xxxu_sta_add accessing sta->drv_priv.
Vulnerability scanning detects affected kernel versions using the rtl8xxxu driver, enabling identification and remediation of this specific slab-out-of-bounds flaw.