CVE-2026-23073
Published: 04 February 2026
Summary
CVE-2026-23073 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the specific memory corruption flaw in the RSI911x WiFi driver by applying upstream kernel fixes that set the correct vif driver data size.
Implements kernel memory protection mechanisms such as stack canaries, KASLR, and guard pages that mitigate the impact of out-of-bounds writes corrupting adjacent structures like struct fq_tin.
Enables vulnerability scanning and monitoring to identify systems running vulnerable Linux kernel versions affected by this RSI911x driver memory allocation flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel memory corruption (OOB write) in local driver context directly enables local privilege escalation via memory manipulation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total…
more
memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it.
Deeper analysisAI
CVE-2026-23073 is a memory corruption vulnerability in the Linux kernel's RSI911x WiFi driver. The issue arises because the driver fails to set the size of the vif driver data in struct ieee80211_vif, resulting in no additional trailing memory being allocated beyond the struct ieee80211_vif itself. Despite this, the driver attempts to store its private data structure, struct vif_priv, in the vif->drv_priv field, leading to out-of-bounds writes that corrupt adjacent memory, such as the struct fq_tin member struct list_head new_flows.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction. By executing simple commands like mounting necessary filesystems (devtmpfs, sysfs, procfs) and then running "ip link set wlan0 up" followed by "ip link set wlan0 down", the attacker triggers the corruption during rsi_mac80211_add_interface(). This can cause kernel crashes due to invalid memory accesses, such as in fq_tin_reset(), and per the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it enables high confidentiality, integrity, and availability impacts through broader memory manipulation.
The provided references point to stable kernel commit patches that mitigate the issue by explicitly setting the vif driver data size to sizeof(struct vif_priv). This ensures proper allocation of trailing space for the driver's private data, preventing out-of-bounds accesses and memory corruption. Security practitioners should apply these upstream fixes in affected kernel versions supporting the RSI911x driver.
Details
- CWE(s)