CVE-2025-71229 (GCVE-0-2025-71229)

Vulnerability from cvelistv5 – Published: 2026-02-18 14:53 – Updated: 2026-02-18 14:53
VLAI?
Title
wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems. Do 1 byte reads/writes instead. Unable to handle kernel paging request at virtual address ffff8000827e0522 Mem abort info: ESR = 0x0000000096000021 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x21: alignment fault Data abort info: ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000 [ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13 Internal error: Oops: 0000000096000021 [#1] SMP Modules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...] CPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G W 6.17.9 #1-NixOS VOLUNTARY Tainted: [W]=WARN Hardware name: FriendlyElec NanoPC-T6 LTS (DT) Workqueue: phy0 rtw_c2h_work [rtw88_core] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : rtw_pci_read32+0x18/0x40 [rtw88_pci] lr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core] sp : ffff800080cc3ca0 x29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828 x26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00 x23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001 x20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522 Call trace: rtw_pci_read32+0x18/0x40 [rtw88_pci] (P) rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core] rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core] rtw_c2h_work+0x50/0x98 [rtw88_core] process_one_work+0x178/0x3f8 worker_thread+0x208/0x418 kthread+0x120/0x220 ret_from_fork+0x10/0x20 Code: d28fe202 8b020000 f9524400 8b214000 (b9400000) ---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 71dee092903adb496fe1f357b267d94087b679e0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d31dde1bd8678115329e46dc8d7afb63c176b74 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 13394550441557115bb74f6de9778c165755a7ab (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 653f8b6a091538b084715f259900f62c2ec1c6cf (git)
Create a notification for this product.
    Linux Linux Unaffected: 6.6.125 , ≤ 6.6.* (semver)
Unaffected: 6.12.72 , ≤ 6.12.* (semver)
Unaffected: 6.18.11 , ≤ 6.18.* (semver)
Unaffected: 6.19.1 , ≤ 6.19.* (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "71dee092903adb496fe1f357b267d94087b679e0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7d31dde1bd8678115329e46dc8d7afb63c176b74",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "13394550441557115bb74f6de9778c165755a7ab",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "653f8b6a091538b084715f259900f62c2ec1c6cf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.125",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.72",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.125",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.72",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()\n\nrtw_core_enable_beacon() reads 4 bytes from an address that is not a\nmultiple of 4. This results in a crash on some systems.\n\nDo 1 byte reads/writes instead.\n\nUnable to handle kernel paging request at virtual address ffff8000827e0522\nMem abort info:\n  ESR = 0x0000000096000021\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x21: alignment fault\nData abort info:\n  ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000\n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nswapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000\n[ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13\nInternal error: Oops: 0000000096000021 [#1]  SMP\nModules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...]\nCPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W           6.17.9 #1-NixOS VOLUNTARY\nTainted: [W]=WARN\nHardware name: FriendlyElec NanoPC-T6 LTS (DT)\nWorkqueue: phy0 rtw_c2h_work [rtw88_core]\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : rtw_pci_read32+0x18/0x40 [rtw88_pci]\nlr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core]\nsp : ffff800080cc3ca0\nx29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828\nx26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00\nx23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001\nx20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522\nCall trace:\n rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)\n rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]\n rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]\n rtw_c2h_work+0x50/0x98 [rtw88_core]\n process_one_work+0x178/0x3f8\n worker_thread+0x208/0x418\n kthread+0x120/0x220\n ret_from_fork+0x10/0x20\nCode: d28fe202 8b020000 f9524400 8b214000 (b9400000)\n---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-18T14:53:13.412Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/71dee092903adb496fe1f357b267d94087b679e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d31dde1bd8678115329e46dc8d7afb63c176b74"
        },
        {
          "url": "https://git.kernel.org/stable/c/13394550441557115bb74f6de9778c165755a7ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/653f8b6a091538b084715f259900f62c2ec1c6cf"
        }
      ],
      "title": "wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71229",
    "datePublished": "2026-02-18T14:53:13.412Z",
    "dateReserved": "2026-02-14T16:26:02.970Z",
    "dateUpdated": "2026-02-18T14:53:13.412Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71229\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-18T16:22:29.627\",\"lastModified\":\"2026-02-18T17:51:53.510\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()\\n\\nrtw_core_enable_beacon() reads 4 bytes from an address that is not a\\nmultiple of 4. This results in a crash on some systems.\\n\\nDo 1 byte reads/writes instead.\\n\\nUnable to handle kernel paging request at virtual address ffff8000827e0522\\nMem abort info:\\n  ESR = 0x0000000096000021\\n  EC = 0x25: DABT (current EL), IL = 32 bits\\n  SET = 0, FnV = 0\\n  EA = 0, S1PTW = 0\\n  FSC = 0x21: alignment fault\\nData abort info:\\n  ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000\\n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\nswapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000005492000\\n[ffff8000827e0522] pgd=0000000000000000, p4d=10000001021d9403, pud=10000001021da403, pmd=100000011061c403, pte=00780000f3200f13\\nInternal error: Oops: 0000000096000021 [#1]  SMP\\nModules linked in: [...] rtw88_8822ce rtw88_8822c rtw88_pci rtw88_core [...]\\nCPU: 0 UID: 0 PID: 73 Comm: kworker/u32:2 Tainted: G        W           6.17.9 #1-NixOS VOLUNTARY\\nTainted: [W]=WARN\\nHardware name: FriendlyElec NanoPC-T6 LTS (DT)\\nWorkqueue: phy0 rtw_c2h_work [rtw88_core]\\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\npc : rtw_pci_read32+0x18/0x40 [rtw88_pci]\\nlr : rtw_core_enable_beacon+0xe0/0x148 [rtw88_core]\\nsp : ffff800080cc3ca0\\nx29: ffff800080cc3ca0 x28: ffff0001031fc240 x27: ffff000102100828\\nx26: ffffd2cb7c9b4088 x25: ffff0001031fc2c0 x24: ffff000112fdef00\\nx23: ffff000112fdef18 x22: ffff000111c29970 x21: 0000000000000001\\nx20: 0000000000000001 x19: ffff000111c22040 x18: 0000000000000000\\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffd2cb6507c090\\nx8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\\nx5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\\nx2 : 0000000000007f10 x1 : 0000000000000522 x0 : ffff8000827e0522\\nCall trace:\\n rtw_pci_read32+0x18/0x40 [rtw88_pci] (P)\\n rtw_hw_scan_chan_switch+0x124/0x1a8 [rtw88_core]\\n rtw_fw_c2h_cmd_handle+0x254/0x290 [rtw88_core]\\n rtw_c2h_work+0x50/0x98 [rtw88_core]\\n process_one_work+0x178/0x3f8\\n worker_thread+0x208/0x418\\n kthread+0x120/0x220\\n ret_from_fork+0x10/0x20\\nCode: d28fe202 8b020000 f9524400 8b214000 (b9400000)\\n---[ end trace 0000000000000000 ]---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/13394550441557115bb74f6de9778c165755a7ab\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/653f8b6a091538b084715f259900f62c2ec1c6cf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/71dee092903adb496fe1f357b267d94087b679e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7d31dde1bd8678115329e46dc8d7afb63c176b74\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.