CVE-2026-43386 Linux CVE debrief

Who should care

Linux system administrators, embedded device manufacturers using rtl8723bs Wi-Fi chipsets, security teams managing kernel attack surface, and organizations with IoT/embedded Linux deployments

Technical summary

The vulnerability resides in `drivers/staging/rtl8723bs/core/rtw_mlme.c` in the `rtw_restruct_wmm_ie` function. The original code structure checked array bounds after accessing `in_ie[i + 5]`, creating a classic time-of-check vs time-of-use (TOCTOU) pattern for memory safety. The patch moves the length check `i + 5 < in_len` to the beginning of the conditional, ensuring bounds validation precedes any array access. This is a local vulnerability requiring low privileges with no user interaction, impacting confidentiality and availability per CVSS 3.1 scoring.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches (5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.19+, 6.19.9+, or 7.0-rc4+) to remediate the out-of-bounds read in rtw_restruct_wmm_ie
• Verify kernel version against affected CPE ranges and prioritize systems using the rtl8723bs Wi-Fi driver
• Monitor for kernel updates from distribution maintainers if custom kernel builds are not feasible
• Review staging driver usage and consider disabling rtl8723bs if not required for system operation

Evidence notes

Vulnerability confirmed via NVD with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. Multiple stable kernel patches released. CPE criteria confirm affected versions across 4.12-5.10.252, 5.11-5.15.202, 5.16-6.1.166, 6.2-6.6.129, 6.7-6.12.77, 6.13-6.18.18, 6.19-6.19.8, and 7.0-rc1 through rc3.

Official resources