CVE-2025-68362
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header.
If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, and causing a kernel panic.
Add length checks for both rtl8187 and rtl8187b descriptor headers before attempting to access them, dropping the packet cleanly if the check fails.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer underflow in Linux kernel's rtl8187 driver can cause kernel panic via truncated Wi-Fi packets.
Root
Cause
In the rtl8187_rx_cb() function of the Linux kernel rtl818x Wi-Fi driver, the receive descriptor header address is computed by subtracting the header size from the skb tail pointer. However, the function fails to verify that the received packet length (skb->len from urb->actual_length) is sufficient to contain the descriptor header. This oversight can lead to a buffer underflow when a deliberately truncated packet is processed.
Exploitation
An attacker capable of injecting crafted, undersized Wi-Fi frames to a system using the RTL8187 wireless chipset can trigger the vulnerability. No authentication is required; the attack is performed over the air by sending malformed frames that result in skb->len being smaller than the expected descriptor header. The function does not validate the packet length before performing the subtraction, causing an out-of-bounds read.
Impact
Successful exploitation results in reading memory located before the start of the skb data area, leading to a kernel panic (denial of service). The vulnerability does not provide arbitrary code execution or privilege escalation based on the description.
Mitigation
The fix adds proper length checks for both RTL8187 and RTL8187B descriptor headers before accessing them, dropping the packet cleanly if the check fails [1]. Users should apply the stable kernel updates that include commit dc153401fb26 or subsequent backports.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/118e12bf3e4288cf845cd3759bd9d4c99f91aab5nvd
- git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355nvd
- git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15nvd
- git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8nvd
- git.kernel.org/stable/c/6a96bd0d94305fd04a6ac64446ec113bae289384nvd
- git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840nvd
- git.kernel.org/stable/c/dc153401fb26c1640a2b279c47b65e1c416af276nvd
- git.kernel.org/stable/c/e2f3ea15e804607e0a4a34a2f6c331c8750b68bcnvd
News mentions
0No linked articles in our index yet.