CVE-2026-46092 Linux CVE debrief

Who should care

Linux system administrators deploying 8821CE Wi-Fi hardware in non-standard PCI topologies; embedded systems developers using this chipset; kernel maintainers backporting fixes to stable branches

Technical summary

The rtw88 Wi-Fi driver for Realtek 8821CE chipsets contains a null-pointer dereference vulnerability in its PCI probe routine. The driver calls pci_upstream_bridge() to obtain a reference to the upstream PCI bridge for applying a specific workaround, but does not check if the return value is NULL. When the device is connected directly to a root bus without an intermediate PCI-to-PCI bridge, pci_upstream_bridge() returns NULL, causing a crash when the driver attempts to dereference this pointer. The fix adds a conditional check to verify the bridge exists before applying the workaround. This vulnerability is primarily relevant for systems where the 8821CE card is installed in desktop or server configurations rather than the typical laptop deployment scenario.

Defensive priority

medium

Recommended defensive actions

• Apply the kernel patch from the stable tree that adds the pci_upstream_bridge() null check
• Update to a kernel version containing the fix (commit eb101d2abdcccb514ca4fccd3b278dd8267374f6 or later)
• For systems using 8821CE in non-standard PCI topologies, verify kernel version before deployment
• Monitor kernel logs for rtw88 probe failures as potential indicators of this issue

Evidence notes

The vulnerability description indicates this was found through static analysis (Svace) rather than active exploitation. The issue affects a specific hardware configuration (8821CE on root bus PCI topology) that is uncommon in typical laptop deployments where this card is usually found.

Official resources