Cyber Resilience

CVE-2026-36355

High

Published: 05 May 2026

Published
05 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0009 25.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-36355 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Realtek (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-36355 is a vulnerability in the rtl8192cd Wi-Fi kernel driver within the Realtek rtl819x Jungle SDK, affecting all known versions through v3.4.14B. The issue arises because the driver lacks access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h. This flaw is rated with a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWEs 200, 782, and 787.

A local attacker can exploit this vulnerability with low complexity, no privileges, and no user interaction required. Exploitation involves issuing the vulnerable ioctls to perform arbitrary memory reads and writes, potentially leading to high confidentiality and integrity impacts, such as exposing sensitive data or modifying critical kernel memory.

Advisories and further details are available from Realtek at http://realtek.com and the GitHub repository https://github.com/totekuh/CVE-2026-36355.

EU & UK References

Vulnerability details

The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds…

more

via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1003 OS Credential Dumping Credential Access
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.
Why these techniques?

Arbitrary kernel memory read/write via unprotected debug ioctls from unprivileged local context directly enables exploitation for privilege escalation (T1068), credential access via kernel memory inspection (T1212), and OS credential dumping (T1003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-43189Shared CWE-200
CVE-2026-31699Shared CWE-787
CVE-2024-51729Shared CWE-787
CVE-2026-33317Shared CWE-787
CVE-2026-31407Shared CWE-787
CVE-2024-54509Shared CWE-787
CVE-2025-30273Shared CWE-787
CVE-2026-0124Shared CWE-787
CVE-2026-31401Shared CWE-787
CVE-2016-20044Shared CWE-787

Affected Assets

Realtek
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the absence of access control checks on the vulnerable write_mem and read_mem ioctls in the kernel driver.

prevent

AC-6 enforces least privilege, preventing unprivileged local attackers from exploiting the ioctls for arbitrary kernel memory reads and writes.

prevent

AC-25 requires a reference monitor to mediate all subject-object accesses, ensuring kernel drivers like rtl8192cd properly enforce access controls on debug handlers.

References