VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54036

CVE-2023-54036

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU

The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?) when it's connected to a bluetooth audio device. The busy bluetooth traffic generates lots of C2H (card to host) messages, which are not freed correctly.

To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback() inside the loop where skb_dequeue() is called.

The RTL8192EU leaks memory because the C2H messages are added to the queue and left there forever. (This was fine in the past because it probably wasn't sending any C2H messages until commit e542e66b7c2e ("wifi: rtl8xxxu: gen2: Turn on the rate control"). Since that commit it sends a C2H message when the TX rate changes.)

To fix this, delete the check for rf_paths > 1 and the goto. Let the function process the C2H messages from RTL8192EU like the ones from the other chips.

Theoretically the RTL8188FU could also leak like RTL8723BU, but it most likely doesn't send C2H messages frequently enough.

This change was tested with RTL8723BU by Erhard F. I tested it with RTL8188FU and RTL8192EU.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory leak in the Linux kernel's rtl8xxxu WiFi driver affects RTL8723BU and RTL8192EU chips through mishandled C2H messages, fixable by moving dev_kfree_skb calls and removing a premature check.

What the vulnerability is

The rtl8xxxu driver in the Linux kernel contains two separate memory-leak bugs affecting the RTL8723BU and RTL8192EU chips. For RTL8723BU, frequent C2H (card-to-host) messages—generated particularly during Bluetooth audio activity—are enqueued but never freed because the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback() is placed outside the dequeuing loop. For RTL8192EU, a goto guard that checks rf_paths > 1 prevents all C2H processing, and since commit e542e66b7c2e ("wifi: rtl8xxxu: gen2: Turn on the rate control") now generates a C2H message on rate changes, those messages accumulate indefinitely. The RTL8188FU is theoretically at risk but is unlikely to trigger the bug in normal operation [1][2].

How it is exploited

Exploitation does not require attacker authentication or special network access; any legitimate Bluetooth audio connection to an RTL8723BU device, or simply normal rate-control changes on an RTL8192EU device, will cause the driver to leak C2H sk_buff objects. No specific attacker interaction is needed beyond regular usage that triggers C2H message generation. On RTL8723BU, the leakage rate increases with Bluetooth traffic, while on RTL8192EU even a single rate-change event can lead to a persistent leak because C2H messages are never consumed [1][2].

Impact

An attacker who can induce Bluetooth audio streaming (or any activity generating frequent C2H messages) on a system using RTL8723BU, or trigger rate changes on RTL8192EU, can gradually exhaust kernel memory. Over time, this leads to system instability, denial-of-service (DoS) for the WiFi interface, and potentially a complete system hang due to memory exhaustion. The impact is local but resource-exhaustion based, with no data exposure or privilege escalation [1][2].

Mitigation

Both bugs are fixed in the Linux kernel stable tree. For RTL8723BU, the fix moves dev_kfree_skb() inside the skb-dequeue loop; for RTL8192EU, the rf_paths > 1 guard is removed, allowing normal C2H processing. Users should update to a kernel containing either commit 430f9f9bec53 or commit b39f662ce1648 (both dated 2025-12-24). No workaround other than kernel patching exists [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

5
430f9f9bec53
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
35fb0e275af1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
93c3f34ec02f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f39a86b4efd2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b39f662ce164
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.