2422744 – (CVE-2025-68255) CVE-2025-68255 kernel: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

Bug 2422744 (CVE-2025-68255) - CVE-2025-68255 kernel: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

Summary: CVE-2025-68255 kernel: staging: rtl8723bs: fix stack buffer overflow in OnAss...

Keywords:
Status:	NEW
Alias:	CVE-2025-68255
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-16 15:01 UTC by OSIDB Bzimport
Modified:	2025-12-16 23:20 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-16 15:01:28 UTC

In the Linux kernel, the following vulnerability has been resolved:

staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.

Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.

This prevents kernel stack corruption triggered by malformed association
requests.

Comment 1 Alexander B 2025-12-16 23:16:16 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025121612-CVE-2025-68255-3994@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.