CVE-2025-71234

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-71234
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71234.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-71234
Downstream
Published
2026-02-18T14:53:18.893Z
Modified
2026-02-23T20:01:18.330724Z
Summary
wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxustaadd

The driver does not set hw->stadatasize, which causes mac80211 to allocate insufficient space for driver private station data in _stainfoalloc(). When rtl8xxxustaadd() accesses members of struct rtl8xxxustainfo through sta->drvpriv, this results in a slab-out-of-bounds write.

KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:

BUG: KASAN: slab-out-of-bounds in rtl8xxxustaadd+0x31c/0x346 Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12

Set hw->stadatasize to sizeof(struct rtl8xxxustainfo) during probe, similar to how hw->vifdatasize is configured. This ensures mac80211 allocates sufficient space for the driver's per-station private data.

Tested on StarFive VisionFive 2 v1.2A board.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71234.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
eef55f1545c92c7181d5083453dee1296298ad3e
Fixed
5d810ba377eddee95d30766d360a14efbb3d1872
Fixed
116f7bd8160c6b37d1c6939385abf90f6f6ed2f5
Fixed
9a0f3fa6ecd0c9c32dbc367a57482bbf7c7d25bf
Fixed
86c946bcc00f6390ef65e9614ae60a9377e454f8

Affected versions

v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.53
v6.12.54
v6.12.55
v6.12.56
v6.12.57
v6.12.58
v6.12.59
v6.12.6
v6.12.60
v6.12.61
v6.12.62
v6.12.63
v6.12.64
v6.12.65
v6.12.66
v6.12.67
v6.12.68
v6.12.69
v6.12.7
v6.12.70
v6.12.71
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.18
v6.18-rc1
v6.18-rc2
v6.18-rc3
v6.18-rc4
v6.18-rc5
v6.18-rc6
v6.18-rc7
v6.18.1
v6.18.10
v6.18.2
v6.18.3
v6.18.4
v6.18.5
v6.18.6
v6.18.7
v6.18.8
v6.18.9
v6.19
v6.19-rc1
v6.19-rc2
v6.19-rc3
v6.19-rc4
v6.19-rc5
v6.19-rc6
v6.19-rc7
v6.19-rc8
v6.7
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71234.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.12.72
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.11
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-71234.json"