CVE-2021-47065: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: rtw88: Fix array overrun in rtw_get_tx_power_params() Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the following array overrun is logged: ================================================================================ UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 index 5 is out of range for type 'u8 [5]' CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 Workqueue: phy0 ieee80211_scan_work [mac80211] Call Trace: dump_stack+0x64/0x7c ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold+0x43/0x48 rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core] ? rtw_pci_read16+0x20/0x20 [rtw_pci] ? check_hw_ready+0x50/0x90 [rtw_core] rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core] rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core] rtw_set_channel+0xab/0x110 [rtw_core] rtw_ops_config+0x87/0xc0 [rtw_core] ieee80211_hw_config+0x9d/0x130 [mac80211] ieee80211_scan_state_set_channel+0x81/0x170 [mac80211] ieee80211_scan_work+0x19f/0x2a0 [mac80211] process_one_work+0x1dd/0x3a0 worker_thread+0x49/0x330 ? rescuer_thread+0x3a0/0x3a0 kthread+0x134/0x150 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x22/0x30 ================================================================================ The statement where an array is being overrun is shown in the following snippet: if (rate <= DESC_RATE11M) tx_power = pwr_idx_2g->cck_base[group]; else ====> tx_power = pwr_idx_2g->bw40_base[group]; The associated arrays are defined in main.h as follows: struct rtw_2g_txpwr_idx { u8 cck_base[6]; u8 bw40_base[5]; struct rtw_2g_1s_pwr_idx_diff ht_1s_diff; struct rtw_2g_ns_pwr_idx_diff ht_2s_diff; struct rtw_2g_ns_pwr_idx_diff ht_3s_diff; struct rtw_2g_ns_pwr_idx_diff ht_4s_diff; }; The problem arises because the value of group is 5 for channel 14. The trivial increase in the dimension of bw40_base fails as this struct must match the layout of efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set the group for channel 14 to 4 if rate <= DESC_RATE11M. This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines")
AI Analysis
Technical Summary
CVE-2021-47065 is a vulnerability identified in the Linux kernel's Realtek wireless driver module rtw88, specifically within the function rtw_get_tx_power_params(). The issue is an array overrun caused by improper bounds checking when accessing the bw40_base array, which is defined with a size of 5 elements. The vulnerability arises because the 'group' index can take the value 5 for channel 14, which exceeds the array bounds, leading to an out-of-bounds memory access. This bug was detected using the Undefined Behaviour Sanity Checker (UBSAN), which logged an array-index-out-of-bounds error. The root cause is linked to the mismatch between the array size and the channel grouping logic, where channel 14 incorrectly maps to an index beyond the array's limit. The fix involved modifying the channel grouping function to ensure that for channel 14 and certain rate conditions, the group index is capped at 4, preventing the out-of-bounds access. This vulnerability is located in a wireless driver component responsible for setting transmission power parameters, which is critical for wireless communication hardware. The flaw was introduced in a prior commit (fa6dfe6bff24) and has been patched accordingly. Although no known exploits are reported in the wild, the vulnerability could potentially lead to kernel crashes or undefined behavior due to memory corruption. The vulnerability affects Linux kernel versions containing the specified commit and related builds. Since this is a kernel-level issue in a widely used open-source operating system, it has broad implications for systems using affected Realtek wireless chipsets with the rtw88 driver.
Potential Impact
For European organizations, the impact of CVE-2021-47065 can be significant depending on their reliance on Linux-based systems with Realtek wireless hardware using the rtw88 driver. Potential impacts include system instability, kernel panics, or crashes caused by the array overrun, which could lead to denial of service (DoS) conditions. In environments where wireless connectivity is critical—such as enterprise networks, public Wi-Fi infrastructure, or industrial control systems—this could disrupt operations. Although no direct evidence of remote code execution or privilege escalation is indicated, memory corruption vulnerabilities in kernel drivers can sometimes be leveraged for more severe attacks if combined with other vulnerabilities. Confidentiality and integrity impacts are less direct but cannot be ruled out if attackers exploit this flaw as part of a multi-stage attack. The vulnerability requires kernel-level access or the ability to trigger wireless driver operations, which may limit exploitation to local attackers or malicious insiders. However, given the widespread use of Linux in servers, desktops, and embedded devices across Europe, the vulnerability poses a risk to a broad range of sectors including government, finance, telecommunications, and critical infrastructure. The lack of known exploits reduces immediate risk but does not eliminate the need for timely patching to prevent future exploitation.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the patch fixing CVE-2021-47065. Specifically, they should ensure that their Linux distributions have incorporated the fix that adjusts the channel grouping logic to prevent out-of-bounds access. System administrators should audit their environments to identify devices using the rtw88 Realtek wireless driver and verify kernel versions. For devices where kernel updates are not immediately feasible, consider disabling the affected wireless interfaces or restricting access to trusted users to minimize risk. Employ kernel hardening techniques such as enabling kernel address space layout randomization (KASLR), kernel page-table isolation (KPTI), and using security modules like SELinux or AppArmor to limit potential damage from kernel exploits. Monitoring system logs for UBSAN or kernel warnings related to wireless drivers can help detect attempts to trigger the vulnerability. Additionally, organizations should maintain robust incident response plans to quickly address any instability or suspicious activity related to wireless drivers. Collaboration with Linux distribution vendors and hardware manufacturers is recommended to ensure timely updates and guidance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2021-47065: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: rtw88: Fix array overrun in rtw_get_tx_power_params() Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the following array overrun is logged: ================================================================================ UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34 index 5 is out of range for type 'u8 [5]' CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651 Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014 Workqueue: phy0 ieee80211_scan_work [mac80211] Call Trace: dump_stack+0x64/0x7c ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds.cold+0x43/0x48 rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core] ? rtw_pci_read16+0x20/0x20 [rtw_pci] ? check_hw_ready+0x50/0x90 [rtw_core] rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core] rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core] rtw_set_channel+0xab/0x110 [rtw_core] rtw_ops_config+0x87/0xc0 [rtw_core] ieee80211_hw_config+0x9d/0x130 [mac80211] ieee80211_scan_state_set_channel+0x81/0x170 [mac80211] ieee80211_scan_work+0x19f/0x2a0 [mac80211] process_one_work+0x1dd/0x3a0 worker_thread+0x49/0x330 ? rescuer_thread+0x3a0/0x3a0 kthread+0x134/0x150 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x22/0x30 ================================================================================ The statement where an array is being overrun is shown in the following snippet: if (rate <= DESC_RATE11M) tx_power = pwr_idx_2g->cck_base[group]; else ====> tx_power = pwr_idx_2g->bw40_base[group]; The associated arrays are defined in main.h as follows: struct rtw_2g_txpwr_idx { u8 cck_base[6]; u8 bw40_base[5]; struct rtw_2g_1s_pwr_idx_diff ht_1s_diff; struct rtw_2g_ns_pwr_idx_diff ht_2s_diff; struct rtw_2g_ns_pwr_idx_diff ht_3s_diff; struct rtw_2g_ns_pwr_idx_diff ht_4s_diff; }; The problem arises because the value of group is 5 for channel 14. The trivial increase in the dimension of bw40_base fails as this struct must match the layout of efuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set the group for channel 14 to 4 if rate <= DESC_RATE11M. This patch fixes commit fa6dfe6bff24 ("rtw88: resolve order of tx power setting routines")
AI-Powered Analysis
Technical Analysis
CVE-2021-47065 is a vulnerability identified in the Linux kernel's Realtek wireless driver module rtw88, specifically within the function rtw_get_tx_power_params(). The issue is an array overrun caused by improper bounds checking when accessing the bw40_base array, which is defined with a size of 5 elements. The vulnerability arises because the 'group' index can take the value 5 for channel 14, which exceeds the array bounds, leading to an out-of-bounds memory access. This bug was detected using the Undefined Behaviour Sanity Checker (UBSAN), which logged an array-index-out-of-bounds error. The root cause is linked to the mismatch between the array size and the channel grouping logic, where channel 14 incorrectly maps to an index beyond the array's limit. The fix involved modifying the channel grouping function to ensure that for channel 14 and certain rate conditions, the group index is capped at 4, preventing the out-of-bounds access. This vulnerability is located in a wireless driver component responsible for setting transmission power parameters, which is critical for wireless communication hardware. The flaw was introduced in a prior commit (fa6dfe6bff24) and has been patched accordingly. Although no known exploits are reported in the wild, the vulnerability could potentially lead to kernel crashes or undefined behavior due to memory corruption. The vulnerability affects Linux kernel versions containing the specified commit and related builds. Since this is a kernel-level issue in a widely used open-source operating system, it has broad implications for systems using affected Realtek wireless chipsets with the rtw88 driver.
Potential Impact
For European organizations, the impact of CVE-2021-47065 can be significant depending on their reliance on Linux-based systems with Realtek wireless hardware using the rtw88 driver. Potential impacts include system instability, kernel panics, or crashes caused by the array overrun, which could lead to denial of service (DoS) conditions. In environments where wireless connectivity is critical—such as enterprise networks, public Wi-Fi infrastructure, or industrial control systems—this could disrupt operations. Although no direct evidence of remote code execution or privilege escalation is indicated, memory corruption vulnerabilities in kernel drivers can sometimes be leveraged for more severe attacks if combined with other vulnerabilities. Confidentiality and integrity impacts are less direct but cannot be ruled out if attackers exploit this flaw as part of a multi-stage attack. The vulnerability requires kernel-level access or the ability to trigger wireless driver operations, which may limit exploitation to local attackers or malicious insiders. However, given the widespread use of Linux in servers, desktops, and embedded devices across Europe, the vulnerability poses a risk to a broad range of sectors including government, finance, telecommunications, and critical infrastructure. The lack of known exploits reduces immediate risk but does not eliminate the need for timely patching to prevent future exploitation.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the patch fixing CVE-2021-47065. Specifically, they should ensure that their Linux distributions have incorporated the fix that adjusts the channel grouping logic to prevent out-of-bounds access. System administrators should audit their environments to identify devices using the rtw88 Realtek wireless driver and verify kernel versions. For devices where kernel updates are not immediately feasible, consider disabling the affected wireless interfaces or restricting access to trusted users to minimize risk. Employ kernel hardening techniques such as enabling kernel address space layout randomization (KASLR), kernel page-table isolation (KPTI), and using security modules like SELinux or AppArmor to limit potential damage from kernel exploits. Monitoring system logs for UBSAN or kernel warnings related to wireless drivers can help detect attempts to trigger the vulnerability. Additionally, organizations should maintain robust incident response plans to quickly address any instability or suspicious activity related to wireless drivers. Collaboration with Linux distribution vendors and hardware manufacturers is recommended to ensure timely updates and guidance.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-29T22:33:44.296Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9c02
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 8:41:40 PM
Last updated: 8/3/2025, 6:29:43 PM
Views: 11
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.