CVE-2026-46305: Linux rtl8723bs NULL Pointer Dereference DoS Vulnerability
A flaw in the Linux kernel's rtl8723bs WiFi driver can cause the system to crash if memory allocation fails during buffer initialization. When the driver attempts to create a buffer, it doesn't properly check whether the memory allocation succeeded before trying to use it. If the allocation fails—a condition that may occur under memory pressure—the code will attempt to access a NULL pointer, causing a denial of service. This is a localized driver issue affecting WiFi functionality rather than a system-wide kernel compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc The return value of kzalloc_flex() is used without ensuring that the allocation succeeded, and the pointer is dereferenced unconditionally. Guard the access to the allocated structure to avoid a potential NULL pointer dereference if the allocation fails.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46305 is a NULL pointer dereference vulnerability in the Linux kernel's rtl8723bs staging driver, specifically in the rtw_cbuf_alloc() function within os_dep. The kzalloc_flex() call used to allocate memory lacks proper validation of the return value. When allocation fails and returns NULL, subsequent code unconditionally dereferences the pointer without null-checking guards. This results in a kernel panic and denial of service. The vulnerability is classified as CWE-476 (NULL Pointer Dereference) with a CVSS v3.1 score of 5.5 (Medium severity, local attack vector, low complexity).
Business impact
The primary business impact is availability degradation rather than confidentiality or integrity loss. A system running a vulnerable kernel version with the rtl8723bs driver loaded could experience unexpected system crashes triggered by memory pressure or allocation failures. For organizations relying on Linux systems with this WiFi adapter, remediation prevents recurring kernel panics and improves system stability. The impact is limited to systems with this specific hardware adapter, narrowing the scope for most enterprise environments.
Affected systems
This vulnerability affects Linux kernel installations with the rtl8723bs WiFi driver enabled. The rtl8723bs driver is a staging driver used by systems with Realtek RTL8723BS chipset wireless adapters—commonly found in certain laptops, embedded systems, and USB WiFi dongles. Impact depends on kernel version and whether the driver is actively loaded; systems without this adapter are unaffected.
Exploitability
Exploitability is limited due to the local-only attack vector requirement. An attacker needs local system access and the ability to trigger memory pressure or allocation failures—for example, via resource exhaustion attacks or crafted workloads. The vulnerability cannot be remotely triggered across a network. Privilege escalation is not possible via this flaw; the impact is denial of service only. No public exploit code is known, and the vulnerability does not appear on the CISA KEV catalog.
Remediation
Apply the kernel patch addressing rtw_cbuf_alloc() to add proper NULL pointer checks after kzalloc_flex() calls. The fix guards buffer access with null-checking conditions before dereferencing. Verify the patched kernel version against your Linux distribution's advisory. For systems where the rtl8723bs driver is not needed, disabling or removing the driver eliminates exposure entirely.
Patch guidance
Consult your Linux distribution's kernel security advisories for patched versions. Most major distributions (Ubuntu, Debian, Red Hat, etc.) will backport fixes to their supported kernel branches. Verify patch availability at your vendor's advisory page, as version numbers vary by distribution. Systems running enterprise-supported kernels typically receive patches through standard update channels. Test patched kernels in a non-production environment first to confirm stability, particularly for driver-level changes.
Detection guidance
Monitor system logs and dmesg output for kernel panic messages related to rtl8723bs or NULL pointer dereference faults originating from the driver's buffer allocation code. Kernel crash dumps and syslog entries will contain stack traces pointing to rtw_cbuf_alloc(). On systems where the driver is active, track unexpected reboots or availability drops coinciding with memory pressure events. Use 'lsmod | grep rtl8723bs' to confirm whether the driver is currently loaded.
Why prioritize this
While the CVSS score of 5.5 is moderate, prioritization should account for your specific environment. If your organization uses Linux systems with RTL8723BS adapters, patching should occur within your standard maintenance window to prevent unplanned downtime from kernel panics. For most enterprise data center environments without this hardware, the practical risk is lower. However, container environments, embedded systems, or edge deployments using these adapters should prioritize patch deployment to ensure operational stability.
Risk score, explained
The CVSS v3.1 score of 5.5 reflects a local attack requirement (AV:L), low attack complexity (AC:L), and a need for low privileges (PR:L), resulting in high availability impact (A:H) but no confidentiality or integrity impact. The 'Medium' severity designation appropriately captures that while this is a serious stability issue, it requires local access and affects only a specific driver. The score does not account for the narrow scope of affected hardware, which in practice reduces organizational risk.
Frequently asked questions
Does this vulnerability allow remote code execution or data theft?
No. CVE-2026-46305 is strictly a denial-of-service issue caused by a kernel panic. It does not compromise confidentiality or integrity. Remote exploitation is not possible; an attacker requires local system access and the ability to trigger memory allocation failures.
How do I know if my Linux system is affected?
Check whether the rtl8723bs driver is loaded by running 'lsmod | grep rtl8723bs'. If output appears, the driver is active. Confirm your kernel version is unpatched by checking vendor advisories. Systems without the Realtek RTL8723BS WiFi adapter are not affected regardless of kernel version.
What's the difference between the staging driver and the mainline driver?
The rtl8723bs driver in the Linux kernel staging subsystem is an out-of-tree driver for older Realtek WiFi hardware. Staging drivers are reviewed for eventual mainline inclusion or removal. This vulnerability is specific to the staging version; if your distribution uses an alternative or newer driver stack, this particular flaw may not apply.
Can I work around this without patching the kernel?
Yes, if the rtl8723bs driver is not essential, disable or blacklist it to prevent the module from loading. This eliminates the vulnerability without requiring a full kernel rebuild. If the adapter is required, kernel patching is the only proper fix.
This analysis is based on the vulnerability disclosure as of July 2026. The information provided is for informational and defensive purposes only. SEC.co does not provide legal, regulatory, or compliance advice. Organizations should verify all patch versions, vendor advisories, and CVSS assessments directly with their respective Linux distribution and kernel maintainers before deploying patches to production systems. Exploitation scenarios and impact may vary based on system configuration, kernel version, and local security controls. No liability is accepted for misuse of this information or for damages resulting from vulnerability remediation decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference