CVE-2023-52611: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: sdio: Honor the host max_req_size in the RX path Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth combo card. The error he observed is identical to what has been fixed in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUEST bit in rtw_sdio_rx_isr()") but that commit didn't fix Lukas' problem. Lukas found that disabling or limiting RX aggregation works around the problem for some time (but does not fully fix it). In the following discussion a few key topics have been discussed which have an impact on this problem: - The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller which prevents DMA transfers. Instead all transfers need to go through the controller SRAM which limits transfers to 1536 bytes - rtw88 chips don't split incoming (RX) packets, so if a big packet is received this is forwarded to the host in it's original form - rtw88 chips can do RX aggregation, meaning more multiple incoming packets can be pulled by the host from the card with one MMC/SDIO transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation and BIT_EN_PRE_CALC makes the chip honor the limits more effectively) Use multiple consecutive reads in rtw_sdio_read_port() and limit the number of bytes which are copied by the host from the card in one MMC/SDIO transfer. This allows receiving a buffer that's larger than the hosts max_req_size (number of bytes which can be transferred in one MMC/SDIO transfer). As a result of this the skb_over_panic error is gone as the rtw88 driver is now able to receive more than 1536 bytes from the card (either because the incoming packet is larger than that or because multiple packets have been aggregated). In case of an receive errors (-EILSEQ has been observed by Lukas) we need to drain the remaining data from the card's buffer, otherwise the card will return corrupt data for the next rtw_sdio_read_port() call.
AI Analysis
Technical Summary
CVE-2023-52611 is a vulnerability in the Linux kernel's rtw88 WiFi driver, specifically affecting the SDIO interface used by certain Realtek RTL8822CS combo WiFi/Bluetooth cards. The issue arises from the interaction between the driver and the hardware limitations of the Amlogic A311D (G12B) SoC's SDIO controller, which has a hardware bug preventing direct DMA transfers. Instead, all data transfers must go through the controller's SRAM, limiting the maximum transfer size to 1536 bytes. The rtw88 driver originally did not honor the host's maximum request size (max_req_size) in the RX path, leading to skb_over_panic errors when packets larger than this limit were received or when RX aggregation caused multiple packets to be transferred in a single MMC/SDIO transaction. This could cause kernel panics or crashes due to buffer overruns. The vulnerability was identified through observations on Banana Pi BPI-CM4 devices using the affected hardware. The fix involves modifying the rtw88 driver to perform multiple consecutive reads in the rtw_sdio_read_port() function, effectively splitting large incoming packets or aggregated packets into smaller chunks that respect the host's max_req_size. Additionally, the fix includes draining remaining data from the card's buffer in case of receive errors to prevent corrupt data from being processed in subsequent reads. This patch eliminates the skb_over_panic errors and stabilizes the RX path for affected devices. No known exploits are currently reported in the wild, and the vulnerability is specific to hardware using the RTL8822CS SDIO WiFi/Bluetooth combo card on platforms with the Amlogic A311D SoC or similar hardware exhibiting the same SDIO controller limitations.
Potential Impact
For European organizations, the impact of CVE-2023-52611 primarily concerns systems and embedded devices running Linux kernels with the affected rtw88 driver and using the RTL8822CS SDIO WiFi/Bluetooth combo card, particularly on hardware platforms like the Banana Pi BPI-CM4 or other devices with the Amlogic A311D SoC. Such devices are often used in IoT, industrial control, or edge computing scenarios. The vulnerability can cause kernel panics or system instability due to skb_over_panic errors, leading to denial of service (DoS) conditions. This can disrupt critical network connectivity, especially in environments relying on wireless communication for operational continuity. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability can impact availability and reliability of affected systems. European organizations deploying embedded Linux devices with these hardware components may experience operational disruptions, increased maintenance overhead, and potential downtime. Since no known exploits exist in the wild, the immediate risk is moderate, but unpatched systems remain vulnerable to accidental crashes or targeted attacks exploiting this flaw to cause DoS.
Mitigation Recommendations
To mitigate CVE-2023-52611, European organizations should: 1) Identify and inventory devices using the RTL8822CS SDIO WiFi/Bluetooth combo card, especially those running on Amlogic A311D (G12B) SoC or similar hardware with SDIO controller limitations. 2) Apply the latest Linux kernel updates or patches that include the fix for honoring the host max_req_size in the rtw88 driver's RX path. This involves updating to kernel versions that incorporate the relevant commit addressing this issue. 3) For devices where kernel updates are not immediately feasible, consider disabling or limiting RX aggregation settings in the rtw88 driver as a temporary workaround to reduce the likelihood of skb_over_panic errors, though this does not fully resolve the problem. 4) Monitor system logs for skb_over_panic or -EILSEQ errors related to the rtw88 driver to detect potential issues early. 5) Engage with hardware vendors or device manufacturers to confirm support for patched drivers and firmware updates. 6) For critical deployments, conduct testing to validate stability post-patch and ensure that the fix does not introduce regressions. 7) Implement network segmentation and access controls to limit exposure of vulnerable devices to untrusted networks, reducing the risk of exploitation attempts causing denial of service.
Affected Countries
Germany, France, United Kingdom, Netherlands, Poland, Italy, Spain, Sweden, Finland, Belgium
CVE-2023-52611: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: sdio: Honor the host max_req_size in the RX path Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth combo card. The error he observed is identical to what has been fixed in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUEST bit in rtw_sdio_rx_isr()") but that commit didn't fix Lukas' problem. Lukas found that disabling or limiting RX aggregation works around the problem for some time (but does not fully fix it). In the following discussion a few key topics have been discussed which have an impact on this problem: - The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller which prevents DMA transfers. Instead all transfers need to go through the controller SRAM which limits transfers to 1536 bytes - rtw88 chips don't split incoming (RX) packets, so if a big packet is received this is forwarded to the host in it's original form - rtw88 chips can do RX aggregation, meaning more multiple incoming packets can be pulled by the host from the card with one MMC/SDIO transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation and BIT_EN_PRE_CALC makes the chip honor the limits more effectively) Use multiple consecutive reads in rtw_sdio_read_port() and limit the number of bytes which are copied by the host from the card in one MMC/SDIO transfer. This allows receiving a buffer that's larger than the hosts max_req_size (number of bytes which can be transferred in one MMC/SDIO transfer). As a result of this the skb_over_panic error is gone as the rtw88 driver is now able to receive more than 1536 bytes from the card (either because the incoming packet is larger than that or because multiple packets have been aggregated). In case of an receive errors (-EILSEQ has been observed by Lukas) we need to drain the remaining data from the card's buffer, otherwise the card will return corrupt data for the next rtw_sdio_read_port() call.
AI-Powered Analysis
Technical Analysis
CVE-2023-52611 is a vulnerability in the Linux kernel's rtw88 WiFi driver, specifically affecting the SDIO interface used by certain Realtek RTL8822CS combo WiFi/Bluetooth cards. The issue arises from the interaction between the driver and the hardware limitations of the Amlogic A311D (G12B) SoC's SDIO controller, which has a hardware bug preventing direct DMA transfers. Instead, all data transfers must go through the controller's SRAM, limiting the maximum transfer size to 1536 bytes. The rtw88 driver originally did not honor the host's maximum request size (max_req_size) in the RX path, leading to skb_over_panic errors when packets larger than this limit were received or when RX aggregation caused multiple packets to be transferred in a single MMC/SDIO transaction. This could cause kernel panics or crashes due to buffer overruns. The vulnerability was identified through observations on Banana Pi BPI-CM4 devices using the affected hardware. The fix involves modifying the rtw88 driver to perform multiple consecutive reads in the rtw_sdio_read_port() function, effectively splitting large incoming packets or aggregated packets into smaller chunks that respect the host's max_req_size. Additionally, the fix includes draining remaining data from the card's buffer in case of receive errors to prevent corrupt data from being processed in subsequent reads. This patch eliminates the skb_over_panic errors and stabilizes the RX path for affected devices. No known exploits are currently reported in the wild, and the vulnerability is specific to hardware using the RTL8822CS SDIO WiFi/Bluetooth combo card on platforms with the Amlogic A311D SoC or similar hardware exhibiting the same SDIO controller limitations.
Potential Impact
For European organizations, the impact of CVE-2023-52611 primarily concerns systems and embedded devices running Linux kernels with the affected rtw88 driver and using the RTL8822CS SDIO WiFi/Bluetooth combo card, particularly on hardware platforms like the Banana Pi BPI-CM4 or other devices with the Amlogic A311D SoC. Such devices are often used in IoT, industrial control, or edge computing scenarios. The vulnerability can cause kernel panics or system instability due to skb_over_panic errors, leading to denial of service (DoS) conditions. This can disrupt critical network connectivity, especially in environments relying on wireless communication for operational continuity. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability can impact availability and reliability of affected systems. European organizations deploying embedded Linux devices with these hardware components may experience operational disruptions, increased maintenance overhead, and potential downtime. Since no known exploits exist in the wild, the immediate risk is moderate, but unpatched systems remain vulnerable to accidental crashes or targeted attacks exploiting this flaw to cause DoS.
Mitigation Recommendations
To mitigate CVE-2023-52611, European organizations should: 1) Identify and inventory devices using the RTL8822CS SDIO WiFi/Bluetooth combo card, especially those running on Amlogic A311D (G12B) SoC or similar hardware with SDIO controller limitations. 2) Apply the latest Linux kernel updates or patches that include the fix for honoring the host max_req_size in the rtw88 driver's RX path. This involves updating to kernel versions that incorporate the relevant commit addressing this issue. 3) For devices where kernel updates are not immediately feasible, consider disabling or limiting RX aggregation settings in the rtw88 driver as a temporary workaround to reduce the likelihood of skb_over_panic errors, though this does not fully resolve the problem. 4) Monitor system logs for skb_over_panic or -EILSEQ errors related to the rtw88 driver to detect potential issues early. 5) Engage with hardware vendors or device manufacturers to confirm support for patched drivers and firmware updates. 6) For critical deployments, conduct testing to validate stability post-patch and ensure that the fix does not introduce regressions. 7) Implement network segmentation and access controls to limit exposure of vulnerable devices to untrusted networks, reducing the risk of exploitation attempts causing denial of service.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-03-06T09:52:12.088Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7dcc
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 10:57:03 AM
Last updated: 8/4/2025, 1:07:17 PM
Views: 12
Related Threats
CVE-2025-7965: CWE-352 Cross-Site Request Forgery (CSRF) in CBX Restaurant Booking
UnknownCVE-2025-8832: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8831: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8829: OS Command Injection in Linksys RE6250
MediumCVE-2025-8828: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.