FKIE_CVE-2023-54036

Vulnerability from fkie_nvd - Published: 2025-12-24 11:15 - Updated: 2025-12-29 15:58
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?) when it's connected to a bluetooth audio device. The busy bluetooth traffic generates lots of C2H (card to host) messages, which are not freed correctly. To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback() inside the loop where skb_dequeue() is called. The RTL8192EU leaks memory because the C2H messages are added to the queue and left there forever. (This was fine in the past because it probably wasn't sending any C2H messages until commit e542e66b7c2e ("wifi: rtl8xxxu: gen2: Turn on the rate control"). Since that commit it sends a C2H message when the TX rate changes.) To fix this, delete the check for rf_paths > 1 and the goto. Let the function process the C2H messages from RTL8192EU like the ones from the other chips. Theoretically the RTL8188FU could also leak like RTL8723BU, but it most likely doesn't send C2H messages frequently enough. This change was tested with RTL8723BU by Erhard F. I tested it with RTL8188FU and RTL8192EU.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU\n\nThe wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)\nwhen it\u0027s connected to a bluetooth audio device. The busy bluetooth\ntraffic generates lots of C2H (card to host) messages, which are not\nfreed correctly.\n\nTo fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()\ninside the loop where skb_dequeue() is called.\n\nThe RTL8192EU leaks memory because the C2H messages are added to the\nqueue and left there forever. (This was fine in the past because it\nprobably wasn\u0027t sending any C2H messages until commit e542e66b7c2e\n(\"wifi: rtl8xxxu: gen2: Turn on the rate control\"). Since that commit\nit sends a C2H message when the TX rate changes.)\n\nTo fix this, delete the check for rf_paths \u003e 1 and the goto. Let the\nfunction process the C2H messages from RTL8192EU like the ones from\nthe other chips.\n\nTheoretically the RTL8188FU could also leak like RTL8723BU, but it\nmost likely doesn\u0027t send C2H messages frequently enough.\n\nThis change was tested with RTL8723BU by Erhard F. I tested it with\nRTL8188FU and RTL8192EU."
    }
  ],
  "id": "CVE-2023-54036",
  "lastModified": "2025-12-29T15:58:56.260",
  "metrics": {},
  "published": "2025-12-24T11:15:56.593",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.