{
"threat_severity" : "Moderate",
"public_date" : "2026-05-06T00:00:00Z",
"bugzilla" : {
"description" : "kernel: wifi: rtw89: pci: validate sequence number of TX release report",
"id" : "2467221",
"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2467221"
},
"cvss3" : {
"cvss3_base_score" : "7.0",
"cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"status" : "draft"
},
"cwe" : "CWE-1285",
"details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nwifi: rtw89: pci: validate sequence number of TX release report\nHardware rarely reports abnormal sequence number in TX release report,\nwhich will access out-of-bounds of wd_ring->pages array, causing NULL\npointer dereference.\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U\n6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1)\nCall Trace:\n\nrtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)]\nrtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)]\nnet_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759\nhandle_softirqs+0xbe/0x290 kernel/softirq.c:601\n? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)]\n__local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423\n\n\nrtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)]\n? irq_thread+0xa7/0x340 kernel/irq/manage.c:0\nirq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314\n? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202\n? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220\nkthread+0xea/0x110 kernel/kthread.c:376\n? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287\n? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n\nTo prevent crash, validate rpp_info.seq before using.", "A flaw was found in the Linux kernel's rtw89_pci component. This vulnerability allows an attacker to cause a kernel NULL pointer dereference by sending a specially crafted TX release report with an abnormal sequence number. This can lead to an out-of-bounds memory access, resulting in a system crash and a Denial of Service (DoS)." ],
"package_state" : [ {
"product_name" : "Red Hat Enterprise Linux 10",
"fix_state" : "Affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:10"
}, {
"product_name" : "Red Hat Enterprise Linux 6",
"fix_state" : "Not affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:6"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Not affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Not affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"fix_state" : "Affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:8"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"fix_state" : "Affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:8"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"fix_state" : "Affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:9"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"fix_state" : "Affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:9"
} ],
"references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43213\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43213\nhttps://lore.kernel.org/linux-cve-announce/2026050650-CVE-2026-43213-33d1@gregkh/T" ],
"name" : "CVE-2026-43213",
"csaw" : false
}