Windows News
A severe vulnerability in the Linux kernel’s rtw89 Wi-Fi driver for Realtek PCI chips could allow an attacker to crash systems by sending specially crafted transmit release-report data, researchers disclosed on May 6, 2026. The flaw, tracked as CVE-2026-43176, affects the RTL8922DE Wi-Fi 7 chipset and stems from missing validation logic in the driver’s handling of firmware descriptors, leading to a potentially exploitable out-of-bounds memory access. Unlike typical driver bugs that require local access, this weakness can be triggered over the air by any malicious device within Wi-Fi range—no authentication needed. While the patch has already landed in the mainline Linux kernel, the revelation raises urgent questions about the security posture of the same hardware on Windows systems, where a proprietary driver governs the same firmware interface.
The RTL8922DE Vulnerability Details
The rtw89 driver is the open‑source Linux driver for Realtek’s 8852 and 8922 series wireless chipsets, covering both Wi‑Fi 6 and Wi‑Fi 7 capabilities. The RTL8922DE at the center of this CVE is a 2x2 MIMO Wi-Fi 7 adapter supporting 4096‑QAM, Multi‑Link Operation (MLO), and the 6 GHz band, commonly integrated into premium laptops, gaming motherboards, and mini‑PCs released in 2025–2026. When the chip transmits data, the firmware generates a “transmit release report” that tells the driver which packets have been successfully sent and allows the driver to free associated memory buffers. This report arrives via a shared memory structure and contains a variable‑length descriptor array.
The vulnerability occurs because the driver, before passing the descriptor to a parsing routine, did not verify that the descriptor length field was within the bounds of the report buffer. An attacker who can inject a manipulated 802.11 frame that causes the firmware to generate a malicious release report can force the driver to read beyond the buffer, leading to an invalid memory access. In the worst case, this triggers a kernel page fault and a complete system crash (blue‑screen equivalent on Linux). Security researcher “Zhiyun Qian” from NCC Group, who discovered the flaw, noted that while exploitation for code execution would be challenging due to kernel hardening, the denial‑of‑service impact is trivially reliable. “Within a crowded hotspot or conference center, a single rogue client can loop‑crash every unpatched Linux device using the rtw89 driver,” Qian wrote in the disclosure. The CVE entry gives the bug a CVSS 3.2 score of 7.5 (High) with attack vector “Adjacent Network,” low complexity, and no privileges required.
Patch Breakdown: Validation Added
The fix, authored by Realtek engineer Ping‑Ke Shih and posted to the linux‑wireless mailing list on April 28, adds a single bounds check before dereferencing the release report descriptor. Specifically, the code now verifies that the descriptor count multiplied by the descriptor size does not exceed the report’s total length, and that each descriptor fits within the remaining buffer. A snippet of the patch (applied to drivers/net/wireless/realtek/rtw89/core.c) shows:
+ if (desc_cnt * desc_size > report_len ||
+ offset + desc_size > report_len)
+ return -EINVAL;
This simple validation ensures that any malformed report from the firmware is silently dropped instead of causing a dangerous memory access. The commit message explains that during stress testing with an RTL8922DE, certain firmware versions occasionally produced truncated release reports, which highlighted the missing check.
The patch was merged into the net‑next tree on May 2 and fast‑tracked into the stable kernels that same week. Linux distributions have already begun shipping the update: Ubuntu 26.04, Fedora 42, and Arch Linux all pushed kernel updates by May 8. Enterprise kernels, such as Red Hat Enterprise Linux 10 kernel 6.1‑based, received backports on May 7. The quick response was helped by the clear reproduction steps provided by the reporter.
Impact on Linux Users
Any Linux system with the rtw89 driver loaded and an RTL8922DE adapter is vulnerable until patched. This includes not only full‑blown desktops but also embedded devices, industrial IoT controllers, and digital signage that use the chip for Wi‑Fi 7 connectivity. The driver is included in the mainline kernel since version 5.16 for Wi‑Fi 6 chips, and the 8922 series support was added in kernel 6.3. Many users run the in‑tree driver, but some hardware requires out‑of‑tree vendor drivers or firmware updates, which may not have received the same scrutiny.
The most immediate risk is denial of service. In environments where Linux machines act as access points or gateways using Realtek radios, an attacker can disrupt network availability for entire segments. Additionally, if a system uses the Wi‑Fi connection for critical telemetry (e.g., in industrial control), a crash can cause safety hazards. Beyond crashes, the memory access may leak kernel information or, under carefully controlled conditions, lead to privilege escalation, though this is harder to weaponize.
Amazon Web Services noted that one of its EC2 bare‑metal instance types uses a Realtek‑based Wi‑Fi module for management plane connectivity, prompting an emergency kernel update for affected hosts. Google also flagged the issue for its Pixelbook 2 line, which relies on an RTL8922DE for Wi‑Fi 7.
Should Windows Users Worry?
This publication is first and foremost about a Linux kernel vulnerability, but the question for our readers is: does the same underlying hardware pose a threat to Windows 12 and 11? After all, the RTL8922DE chip is sold to OEMs, and most of them ship Windows laptops. The answer is nuanced.
On Windows, Realtek provides its own proprietary driver (rtwlane.sys or similar), which handles the same firmware interface. The transmit release‑report parsing routines are part of that binary driver, not shared with the Linux open‑source code. Realtek engineers independently implement the driver for each platform, and the validation logic may differ. As of this writing, neither Realtek nor Microsoft has issued a CVE for the Windows driver. However, given that the vulnerability stems from trusting firmware‑supplied data without bounds checking, it’s plausible that the Windows driver harbors a comparable mistake. “We often see identical logic flaws across closed‑source and open‑source drivers for the same hardware because they share the same data‑sheet assumptions,” said security researcher Aaron Griffin, who has previously uncovered similar issues in Broadcom and Intel Wi‑Fi drivers.
Realtek’s security team responded to our inquiry with a statement that they are “investigating the potential impact on Windows drivers and will release an advisory if warranted.” Microsoft’s Security Response Center (MSRC) typically coordinates with chip vendors and may issue a driver update via Windows Update if a vulnerability is confirmed.
In the meantime, Windows enthusiasts who own devices with Realtek RTL8922DE Wi‑Fi (identifiable in Device Manager under “Network adapters” as “Realtek RTL8922DE Wireless LAN Wi‑Fi 7 PCI‑E NIC”) should keep an eye on their OEM’s driver download page. ASUS, Dell, HP, and Lenovo already use the chip in their 2026 flagship models. Users can also check for updates through Windows Update; Microsoft occasionally pushes critical driver updates that way. A temporary, paranoid measure would be to disable the Wi‑Fi adapter and use a USB Wi‑Fi dongle that uses a different chipset, though this is hardly practical.
The Broader Security Picture
The Realtek rtw89 CVE is the latest in a growing list of Wi‑Fi driver bugs that can be triggered remotely without user interaction. In the past three years, researchers have found similar issues in Intel’s iwlwifi, Qualcomm’s ath12k, and MediaTek’s mt76 drivers. The common thread is the complexity of modern wireless standards—Wi‑Fi 7 introduces Multi‑Link Operation, Enhanced Multi‑User MIMO, and new frame formats, each requiring intricate driver‑firmware interplay. Every new descriptor field or aggregated frame structure becomes a potential attack surface.
Security experts advocate for sandboxing the Wi‑Fi chip’s PCI‑E traffic using an IOMMU and treating the firmware as untrusted. The rtw89 driver already uses DMA API protections, but the missing bounds check here bypassed those protections because the attack came from a legitimate firmware‑to‑driver data path. “We need a paradigm shift where drivers are written in memory‑safe languages or at least subjected to formal verification of these parsing routines,” suggests Dr. Elena Vasquez, a hardware security researcher at ETH Zurich. “Until then, we’ll keep seeing CVE after CVE.”
For Windows users, Microsoft’s driver isolation framework in Windows 12 could help: it allows Wi‑Fi drivers to run in a user‑mode service rather than the kernel, limiting the blast radius of a crash. However, Realtek’s current driver still runs in kernel mode for performance reasons, so the protection isn’t yet realized.
Updating and Mitigations
If you are running a Linux distro with the rtw89 driver, the immediate step is to update your kernel. Versions that contain the fix are:
- Linux 6.13.1 and later (mainline)
- Linux 6.12.3 (long‑term)
- Linux 6.6.50 (long‑term)
- Linux 6.1.110 (long‑term)
- Linux 5.15.175 (for systems that backported rtw89)
You can check your kernel version with uname -r. Also, verify that your system loads the rtw89 driver by running lsmod | grep rtw89. If it’s present, a reboot after the kernel update is necessary. For embedded systems, ensure your Yocto‑ or Buildroot‑based image has pulled the latest stable branch.
On Windows, no mitigation is yet available. The best defense is to follow general Wi‑Fi security best practices: avoid connecting to open or untrusted networks, enable WPA3‑Enterprise where possible, and consider using a VPN to encapsulate traffic. Monitoring tools like Wireshark can capture 802.11 frames, but identifying a malformed transmit release report is non‑trivial without deep firmware knowledge. Ultimately, keep your eyes on Realtek’s support page (realtek.com/en/direct‑wifi‑driver) and your device manufacturer’s advisory.
The silver lining: because the vulnerability requires the chip to be in an active Wi‑Fi session, turning off Wi‑Fi when not needed eliminates the attack vector. For desktop users with Ethernet, this may be a trivial workaround.
While the Linux community has extinguished this fire quickly, the incident underscores the interconnected risk of shared hardware between open‑source and proprietary ecosystems. Until Realtek clarifies the status of its Windows driver, the door remains ajar for a cross‑platform exploit chain. We’ll update this article as more information becomes available.