CVE-2026-31626
Published: 24 April 2026
Summary
CVE-2026-31626 is a high-severity Use of Uninitialized Resource (CWE-908) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the identified flaw by applying kernel patches that initialize le_tmp64 directly prevents use of uninitialized data in rtw_BIP_verify().
Vulnerability scanning detects kernels affected by CVE-2026-31626 and triggers remediation to patch the uninitialized resource flaw.
Configuring systems to least functionality by disabling non-essential staging drivers like rtl8723bs prevents exposure to this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Uninitialized variable use in WiFi driver (rtw_BIP_verify) allows adjacent attacker to send crafted 802.11 frames triggering kernel DoS (A:H impact); directly maps to application/system exploitation for endpoint denial of service.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) variable,…
more
leaving the last two bytes uninitialized: drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify() warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes) Initializing the variable at the start of the function fixes this warning and ensures predictable behavior.
Deeper analysisAI
CVE-2026-31626 affects the Linux kernel's staging rtl8723bs driver, specifically the rtw_BIP_verify() function in drivers/staging/rtl8723bs/core/rtw_security.c. The vulnerability stems from the failure to initialize the 8-byte u64 variable le_tmp64 to zero before use; only 6 bytes are copied into it, leaving the last two bytes uninitialized. This issue, flagged by the Smatch static analysis tool, constitutes a CWE-908 (Use of Uninitialized Resource) and carries a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).
An attacker with adjacent network access can exploit this vulnerability with low complexity, no privileges, and no user interaction required. Exploitation involves triggering rtw_BIP_verify() with crafted input that leads to the use of uninitialized data in le_tmp64, potentially resulting in low integrity impact and high availability impact, such as denial of service, while confidentiality remains unaffected.
Mitigation is achieved by applying upstream patches in stable kernel branches, which initialize le_tmp64 to zero at the start of rtw_BIP_verify() to eliminate the uninitialized data usage and ensure predictable behavior. Relevant commits include 8c964b82a4e97ec7f25e17b803ee196009b38a57, b487a7754d874230299d5a9c2710ec4df8b2ed8a, c2026c6b603ebec52f55015496703fe79077accf, c65ee4d3be5df395e48afbcd0946dd5fce4338a9, and d5b8f5f8d6fc09a8af5ed139c688660f578ed732.
Details
- CWE(s)