CVE-2025-68254
Description
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic.
Add a boundary check to ensure that the ESR IE body and the subsequent bytes are within the limits of the frame before attempting to access them.
This prevents OOB reads caused by malformed beacon frames.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in the rtl8723bs driver's beacon Extended Supported Rates IE parsing can cause kernel panic; fixed by adding a boundary check.
Vulnerability
In the Linux kernel's staging driver rtl8723bs, the OnBeacon function parses Extended Supported Rates (ESR) Information Elements from received beacon frames. The code accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets remain within the bounds of the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could trigger an out-of-bounds read, potentially leading to a kernel panic [1][2][3].
Exploitation
An attacker within Wi-Fi range can send a specially crafted beacon frame to a device using the rtl8723bs driver. No authentication is required because beacon frames are broadcast and processed before any association. The attacker only needs to control the beacon's Information Element layout to place the ESR IE such that its body extends beyond the actual frame length.
Impact
Successful exploitation causes an out-of-bounds read, which may result in a kernel panic (denial of service). The read accesses memory beyond the frame buffer, potentially exposing sensitive kernel memory or causing instability. The vulnerability does not appear to allow arbitrary code execution based on the description.
Mitigation
The fix adds a boundary check to ensure the ESR IE body and subsequent bytes are within the frame limits before accessing them [1][2][3]. The patch has been applied to the Linux kernel stable tree. Users should update to a kernel version containing the commit to eliminate the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/38292407c2bb5b2b3131aaace4ecc7a829b40b76nvd
- git.kernel.org/stable/c/502ddcc405b69fa92e0add6c1714d654504f6fd7nvd
- git.kernel.org/stable/c/bb5940193d813449540d8d3a82abc045be41f48anvd
- git.kernel.org/stable/c/bf323db1d883c209880bd92f3b12503e3531c3fcnvd
- git.kernel.org/stable/c/c03cb111628924827351e19baa5b073e9b0d723dnvd
- git.kernel.org/stable/c/c173ce97d3f0f0c0fefa39139d6d04ba60b5db22nvd
- git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5nvd
News mentions
0No linked articles in our index yet.