VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46305

CVE-2026-46305

Description

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

The return value of kzalloc_flex() is used without ensuring that the allocation succeeded, and the pointer is dereferenced unconditionally.

Guard the access to the allocated structure to avoid a potential NULL pointer dereference if the allocation fails.

Affected products

2

Patches

4
0a5f411becfb

staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitShyam Sunder Reddy PadiraApr 14, 2026Fixed in 7.0.7via kernel-cna
commit
1 file changed · +2 2
  • drivers/staging/rtl8723bs/os_dep/osdep_service.c+2 2 modified
    diff --git a/drivers/staging/rtl8723bs/os_dep/osdep_service.c b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
index 7959daeabc6ff..4cfdf7c623440 100644
--- a/drivers/staging/rtl8723bs/os_dep/osdep_service.c
+++ b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
@@ -194,7 +194,8 @@ struct rtw_cbuf *rtw_cbuf_alloc(u32 size)
 	struct rtw_cbuf *cbuf;
 
 	cbuf = kzalloc_flex(*cbuf, bufs, size);
-	cbuf->size = size;
+	if (cbuf)
+		cbuf->size = size;
 
 	return cbuf;
 }
-- 
cgit 1.3-korg
bc851db06045

staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitShyam Sunder Reddy PadiraApr 14, 2026Fixed in 7.1-rc3via kernel-cna
commit
1 file changed · +2 2
  • drivers/staging/rtl8723bs/os_dep/osdep_service.c+2 2 modified
    diff --git a/drivers/staging/rtl8723bs/os_dep/osdep_service.c b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
index 7959daeabc6ff..4cfdf7c623440 100644
--- a/drivers/staging/rtl8723bs/os_dep/osdep_service.c
+++ b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
@@ -194,7 +194,8 @@ struct rtw_cbuf *rtw_cbuf_alloc(u32 size)
 	struct rtw_cbuf *cbuf;
 
 	cbuf = kzalloc_flex(*cbuf, bufs, size);
-	cbuf->size = size;
+	if (cbuf)
+		cbuf->size = size;
 
 	return cbuf;
 }
-- 
cgit 1.3-korg
0a5f411becfb

staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitShyam Sunder Reddy PadiraApr 14, 2026via nvd-ref
commit
1 file changed · +2 2
  • drivers/staging/rtl8723bs/os_dep/osdep_service.c+2 2 modified
    diff --git a/drivers/staging/rtl8723bs/os_dep/osdep_service.c b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
index 7959daeabc6ff..4cfdf7c623440 100644
--- a/drivers/staging/rtl8723bs/os_dep/osdep_service.c
+++ b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
@@ -194,7 +194,8 @@ struct rtw_cbuf *rtw_cbuf_alloc(u32 size)
 	struct rtw_cbuf *cbuf;
 
 	cbuf = kzalloc_flex(*cbuf, bufs, size);
-	cbuf->size = size;
+	if (cbuf)
+		cbuf->size = size;
 
 	return cbuf;
 }
-- 
cgit 1.3-korg
bc851db06045

staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitShyam Sunder Reddy PadiraApr 14, 2026via nvd-ref
commit
1 file changed · +2 2
  • drivers/staging/rtl8723bs/os_dep/osdep_service.c+2 2 modified
    diff --git a/drivers/staging/rtl8723bs/os_dep/osdep_service.c b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
index 7959daeabc6ff..4cfdf7c623440 100644
--- a/drivers/staging/rtl8723bs/os_dep/osdep_service.c
+++ b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
@@ -194,7 +194,8 @@ struct rtw_cbuf *rtw_cbuf_alloc(u32 size)
 	struct rtw_cbuf *cbuf;
 
 	cbuf = kzalloc_flex(*cbuf, bufs, size);
-	cbuf->size = size;
+	if (cbuf)
+		cbuf->size = size;
 
 	return cbuf;
 }
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The return value of a memory allocation function is dereferenced without checking if the allocation succeeded."

Attack vector

An attacker can trigger this vulnerability by causing the `rtw_cbuf_alloc` function to fail its memory allocation. This failure leads to a NULL pointer dereference when the code attempts to access members of the unallocated structure. The specific conditions that cause `kzalloc_flex()` to fail are not detailed in the provided patches.

Affected code

The vulnerability exists in the `rtw_cbuf_alloc` function within the file `drivers/staging/rtl8723bs/os_dep/osdep_service.c`. The issue stems from the unconditional dereferencing of the `cbuf` pointer after the `kzalloc_flex()` call.

What the fix does

The patch adds a check to ensure that the pointer returned by `kzalloc_flex()` is not NULL before attempting to access its members. If the allocation fails and `cbuf` is NULL, the `cbuf->size = size;` assignment is skipped, preventing the NULL pointer dereference. This change guards the access to the allocated structure, thereby mitigating the vulnerability [patch_id=5239794].

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

1