CVE-2025-68256
Description
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on malformed frames.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing bounds check in rtl8723bs Wi-Fi driver's IE parser allows out-of-bounds read and potential infinite loop from crafted frames.
Vulnerability
Description CVE-2025-68256 is an out-of-bounds read vulnerability in the Linux kernel's staging driver rtl8723bs, specifically within the Information Element (IE) parser function rtw_get_ie(). The root cause is that the parser trusts the length byte of each IE without validating that the IE body (specified by that length) fits within the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to read beyond the allocated buffer.
Exploitation
An attacker with the ability to send crafted Wi-Fi management frames to a device using this driver can trigger the vulnerability. No authentication is required beyond proximity to the target. By manipulating the IE length field in a frame, the attacker forces the parser to increment its pointer past the buffer boundary, leading to out-of-bounds reads. Under certain conditions, the malformed data can cause an infinite loop in the parser, denying service.
Impact
Successful exploitation could result in information disclosure through out-of-bounds reads of kernel memory, or a denial-of-service condition via an infinite loop. The vulnerability is local to the kernel driver but can be triggered remotely by a nearby attacker sending a single crafted frame. The impact is limited to systems with the rtl8723bs driver loaded and an active Wi-Fi interface.
Mitigation
The Linux kernel has released fixes that add a bounds check: the parser now verifies that offset + 2 + len does not exceed the limit before processing the IE [1][2][3]. Users should update their kernel to a version containing the fix. There are no known workarounds, as the driver is part of the kernel and cannot be easily disabled without losing Wi-Fi functionality on affected hardware.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaednvd
- git.kernel.org/stable/c/30c558447e90935f0de61be181bbcedf75952e00nvd
- git.kernel.org/stable/c/9829c6e1b2e4180fd18315252ad6faeab6128076nvd
- git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5nvd
- git.kernel.org/stable/c/b977eb31802817f4a37da95bf16bfdaa1eeb5fc2nvd
- git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501nvd
- git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cbnvd
News mentions
0No linked articles in our index yet.