rtw89
by Linux
Source repositories
CVEs (18)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-43176 | Hig | 0.50 | 8.8 | 0.00 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate release report content before using for RTL8922DE The commit 957eda596c76 ("wifi: rtw89: pci: validate sequence number of TX release report") does validation on existing chips, which… | ||
| CVE-2026-43213 | Hig | 0.42 | 7.5 | 0.00 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL… | ||
| CVE-2026-43267 | Med | 0.29 | 5.5 | 0.00 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bss_conf->beacon_int might be zero, which could result in a division by zero error in subsequent… | ||
| CVE-2022-50863 | 0.00 | — | 0.00 | Dec 30, 2025 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: free unused skb to prevent memory leak This avoid potential memory leak under power saving mode. | |||
| CVE-2025-40000 | 0.00 | — | 0.00 | Oct 15, 2025 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write… | |||
| CVE-2023-53467 | 0.00 | — | 0.00 | Oct 1, 2025 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential leak in rtw89_append_probe_req_ie() Do `kfree_skb(new)` before `goto out` to prevent potential leak. | |||
| CVE-2025-38657 | 0.00 | — | 0.00 | Aug 22, 2025 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch() The "link_id" value comes from the user via debugfs. If it's larger than BITS_PER_LONG then that would result in shift wrapping and… | |||
| CVE-2025-38647 | 0.00 | — | 0.00 | Aug 22, 2025 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: sar: drop lockdep assertion in rtw89_set_sar_from_acpi The following assertion is triggered on the rtw89 driver startup. It looks meaningless to hold wiphy lock on the early init stage so drop the… | |||
| CVE-2025-21730 | 0.00 | — | 0.00 | Feb 27, 2025 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid to init mgnt_entry list twice when WoWLAN failed If WoWLAN failed in resume flow, the rtw89_ops_add_interface() triggered without removing the interface first. Then the mgnt_entry list init… | |||
| CVE-2025-21729 | 0.00 | — | 0.00 | Feb 27, 2025 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion… | |||
| CVE-2022-49539 | 0.00 | — | 0.00 | Feb 26, 2025 | In the Linux kernel, the following vulnerability has been resolved: rtw89: ser: fix CAM leaks occurring in L2 reset The CAM, meaning address CAM and bssid CAM here, will get leaks during SER (system error recover) L2 reset process and ieee80211_restart_hw() which is called by… | |||
| CVE-2024-56535 | 0.00 | — | 0.00 | Dec 27, 2024 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: coex: check NULL return of kmalloc in btc_fw_set_monreg() kmalloc may fail, return value might be NULL and will cause NULL pointer dereference. Add check NULL return of kmalloc in… | |||
| CVE-2024-49939 | 0.00 | — | 0.00 | Oct 21, 2024 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid to add interface to list twice when SER If SER L2 occurs during the WoWLAN resume flow, the add interface flow is triggered by ieee80211_reconfig(). However, due to rtw89_wow_resume() return… | |||
| CVE-2024-49928 | 0.00 | — | 0.00 | Oct 21, 2024 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Because the loop-expression will do one more time before getting false from cond-expression, the original code copied one more entry… | |||
| CVE-2024-47721 | 0.00 | — | 0.00 | Oct 21, 2024 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading The handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't implemented, but driver expects… | |||
| CVE-2024-43842 | 0.00 | — | 0.00 | Aug 17, 2024 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. But then 'rate->he_gi' is used as array index instead of… | |||
| CVE-2024-42125 | 0.00 | — | 0.00 | Jul 30, 2024 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband We have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz sband will be NULL even if it is WiFi 7 chip. So, add NULL… | |||
| CVE-2024-35946 | 0.00 | — | 0.00 | May 19, 2024 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix null pointer access when abort scan During cancel scan we might use vif that weren't scanning. Fix this by using the actual scanning vif. |
- risk 0.50cvss 8.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate release report content before using for RTL8922DE The commit 957eda596c76 ("wifi: rtw89: pci: validate sequence number of TX release report") does validation on existing chips, which…
- risk 0.42cvss 7.5epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL…
- risk 0.29cvss 5.5epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bss_conf->beacon_int might be zero, which could result in a division by zero error in subsequent…
- CVE-2022-50863Dec 30, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: free unused skb to prevent memory leak This avoid potential memory leak under power saving mode.
- CVE-2025-40000Oct 15, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write…
- CVE-2023-53467Oct 1, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential leak in rtw89_append_probe_req_ie() Do `kfree_skb(new)` before `goto out` to prevent potential leak.
- CVE-2025-38657Aug 22, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch() The "link_id" value comes from the user via debugfs. If it's larger than BITS_PER_LONG then that would result in shift wrapping and…
- CVE-2025-38647Aug 22, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: sar: drop lockdep assertion in rtw89_set_sar_from_acpi The following assertion is triggered on the rtw89 driver startup. It looks meaningless to hold wiphy lock on the early init stage so drop the…
- CVE-2025-21730Feb 27, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid to init mgnt_entry list twice when WoWLAN failed If WoWLAN failed in resume flow, the rtw89_ops_add_interface() triggered without removing the interface first. Then the mgnt_entry list init…
- CVE-2025-21729Feb 27, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion…
- CVE-2022-49539Feb 26, 2025risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: rtw89: ser: fix CAM leaks occurring in L2 reset The CAM, meaning address CAM and bssid CAM here, will get leaks during SER (system error recover) L2 reset process and ieee80211_restart_hw() which is called by…
- CVE-2024-56535Dec 27, 2024risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: coex: check NULL return of kmalloc in btc_fw_set_monreg() kmalloc may fail, return value might be NULL and will cause NULL pointer dereference. Add check NULL return of kmalloc in…
- CVE-2024-49939Oct 21, 2024risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid to add interface to list twice when SER If SER L2 occurs during the WoWLAN resume flow, the add interface flow is triggered by ieee80211_reconfig(). However, due to rtw89_wow_resume() return…
- CVE-2024-49928Oct 21, 2024risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Because the loop-expression will do one more time before getting false from cond-expression, the original code copied one more entry…
- CVE-2024-47721Oct 21, 2024risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading The handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't implemented, but driver expects…
- CVE-2024-43842Aug 17, 2024risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. But then 'rate->he_gi' is used as array index instead of…
- CVE-2024-42125Jul 30, 2024risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband We have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz sband will be NULL even if it is WiFi 7 chip. So, add NULL…
- CVE-2024-35946May 19, 2024risk 0.00cvss —epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix null pointer access when abort scan During cancel scan we might use vif that weren't scanning. Fix this by using the actual scanning vif.