CVE-2026-43225

/* * PoC Concept for CVE-2026-43225 * Demonstrates the logic flaw in rtl8723bs driver leading to memory leak. * This code simulates the vulnerable path where 'buf' is not freed on error. */ #include <linux/module.h> #include <linux/kernel.h> #include <linux/slab.h> // Simulated function representing the vulnerable driver logic int vulnerable_logic(void) { // Allocate buffer, simulating kmalloc in driver void *buf = kmalloc(1024, GFP_KERNEL); if (!buf) return -ENOMEM; // Simulate cfg80211_inform_bss_frame returning NULL (failure) // Real trigger involves specific wireless frame conditions void *inform_result = NULL; if (!inform_result) { // VULNERABILITY: 'buf' is leaked here as function returns early // In the real driver: return -EINVAL; printk(KERN_ALERT "Memory leaked: buf not freed before return!\n"); return -EINVAL; } // Correct path (not taken in PoC) kfree(buf); return 0; } // To reproduce: Load this module and call vulnerable_logic repeatedly // to observe increase in kernel memory usage (kmemleak can be used).

{"cve": {"id": "CVE-2026-43225", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:42.270", "lastModified": "2026-05-08T21:22:38.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix memory leak on failure path\n\ncfg80211_inform_bss_frame() may return NULL on failure. In that case,\nthe allocated buffer 'buf' is not freed and the function returns early,\nleading to potential memory leak.\nFix this by ensuring that 'buf' is freed on both success and failure paths."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.12", "versionEndExcluding": "5.15.202", "matchCriteriaId": "1B385FE4-E381-4736-9CB4-443EC1C8E178"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/017295b17bf1f477246c95bd253a7ef0cb4684c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8311bb40698ba027649d5d1ca84ad4bf25270546", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9874e33ce52ba449ab0ade78752a2d37a2294617", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9f70f78e22b321429afc77befecedf05543d4e2c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a968c6a39607c129b8ac2c3c2a5e8923574e90d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/abe850d82c8cb72d28700673678724e779b1826e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/af48c1a0abe849e167fc754b6c260b6d8350b6fd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}