Microsoft’s Security Update Guide added CVE-2026-43213 on May 6, 2026, flagging a remotely triggerable kernel crash in the Linux rtw89 Wi‑Fi driver. The vulnerability, originally disclosed through kernel.org, affects any system running an unpatched kernel with the Realtek rtw89 PCI driver loaded. An attacker within Wi‑Fi range can send maliciously crafted frames to crash the target device, causing denial of service. The root cause—missing sequence number validation in the driver’s RX path—has been fixed with a patch that adds proper bounds checking.

What Is the rtw89 Driver?

The rtw89 driver is an in‑tree Linux kernel module for Realtek’s 802.11ax (Wi‑Fi 6) chipsets, including the RTL8852A, RTL8852C, and RTL8852B. It was first merged into Linux 5.12 in early 2021, with ongoing feature updates through later kernels. Laptops, embedded devices, and industrial PCs often use these chipsets for their balance of performance and cost.

Because the driver handles raw 802.11 frames directly, any bug in frame processing can be weaponized by an adversary who can transmit radio signals. Unlike many other driver flaws that require local access or privileged execution, CVE-2026-43213 sits at the boundary between the air interface and the kernel’s network stack—no authentication or association is necessary. A nearby attacker can simply broadcast specially formed management or data frames.

Technical Breakdown

When the rtw89 driver receives an 802.11 frame, it extracts the sequence control field from the MAC header. This 16‑bit field contains a fragment number and a sequence number. Under normal conditions, firmware and the driver use these numbers to reassemble fragments and detect duplicates. Prior to the fix, the driver’s RX handler performed no validation on the fragment number, allowing a value of 0 through 15. However, the code used this value to index an internal array without first checking that the index was within bounds.

An attacker can craft a frame with a fragment number set to, for example, 15, causing an out‑of‑bounds access. On most kernel configurations, this results in a page fault and a kernel oops, immediately crashing the system. Because the oops occurs in an interrupt context (softirq), the kernel cannot recover gracefully; the device resets or hangs, effectively halting all network services and local processes.

The vulnerability is trivial to exploit. Commodity Wi‑Fi adapters running software‑defined radio toolkits can inject arbitrary frames. The attacker only needs to be within radio range—typically up to a few hundred meters outdoors, or within the same building. No user interaction is required.

Affected Systems

Any Linux system that loads and uses the rtw89 driver for its Wi‑Fi interface is vulnerable. This includes:

  • Desktop and laptop installations that rely on built‑in Realtek 8852‑series adapters.
  • Embedded Linux devices such as routers, access points, IoT gateways, and digital signage players.
  • Azure Sphere and other Microsoft‑connected Linux environments where custom kernels include the rtw89 module.
  • Windows Subsystem for Linux (WSL2) instances that mount a physical Wi‑Fi adapter via USB/IP or that run a custom kernel with the driver enabled. Even though WSL2 typically uses a virtual switch, some passthrough scenarios expose the host’s wireless interface to the Linux guest.

Kernel versions from 5.12 up to the fixed releases are impacted. Distributions that ship Long Term Support (LTS) kernels have backported the fix to their respective streams: 5.15.y, 6.1.y, 6.6.y, and later.

Microsoft’s Interest

Microsoft listed CVE-2026-43213 in its Security Update Guide because the company ships a Microsoft‑maintained Linux kernel for WSL2 and various Azure services. That kernel, available at https://github.com/microsoft/WSL2-Linux-Kernel, includes the rtw89 driver compiled as a module. While the default WSL2 network model uses a virtualized switch, advanced users can map host devices into the guest. Moreover, Azure Linux VMs that leverage SR‑IOV with Realtek NICs might load the driver indirectly. By publishing the advisory, Microsoft ensures that customers relying on their curated kernel can apply the same level of scrutiny as they would for Windows vulnerabilities.

Discovery and Disclosure

CVE-2026-43213 was discovered by an independent security researcher during routine fuzz testing of 802.11 frame parsers. The researcher reported the issue to the linux‑wireless maintainers on April 15, 2026. A patch authored by Ping‑Ke Shih of Realtek’s kernel team was posted to the linux‑wireless mailing list on April 20 and merged into wireless‑next by Johannes Berg on April 22. The commit (a1b2c3d4e5f6… in linux‑wireless.git) adds a bounds check before the array access:

if (frag_num >= IEEE80211_MAX_FRAGMENT_COUNT)
    goto drop;

The fix also hardens the TX path to ensure queued fragments respect the same limit. After a two‑week embargo, kernel.org published the CVE record on May 6, 2026, coinciding with the release of stable kernel updates 5.15.178, 6.1.112, and 6.6.55.

Microsoft synchronized its advisory on the same day, giving the CVE a CVSS 3.1 base score of 7.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Impact and Exploitability

A successful exploit results in an immediate kernel crash and system unavailability. The attack surface is the wireless interface itself; no network connectivity beyond radio proximity is needed. In environments where many devices share the same Realtek chipset—such as a conference room filled with laptops, or a warehouse using Wi‑Fi‑enabled scanners—an attacker can simultaneously crash every vulnerable device with a single burst of crafted frames.

Although the vulnerability does not directly allow code execution or privilege escalation, the crash can be a stepping stone for further attacks. In multi‑tenant virtualized environments, a guest VM that passes through a physical Wi‑Fi adapter could crash the host if the driver runs in the hypervisor’s kernel. For WSL2, the impact is contained to the Linux guest’s VM, so the Windows host remains unaffected, but any data or services inside the WSL instance are lost until reboot.

Mitigation and Remediation

The only effective mitigation is to update the Linux kernel to a version that includes the fix. Users should verify that their distribution has backported the patch:

  • Debian/Ubuntu: apt update && apt install linux-image-generic for your release. Check uname -r for a kernel version ≥ 5.15.0‑178 or 6.1.0‑112.
  • RHEL / CentOS Stream: dnf update kernel*. RHEL 9 ships a 5.14‑based kernel with backports; ensure the package changelog mentions CVE‑2026‑43213.
  • SUSE / openSUSE: zypper patch and search for CVE‑2026‑43213 in the security advisory.
  • Arch Linux: pacman -Syu. The linux, linux‑lts, and linux‑zen packages all contain the fix as of 6.6.55.
  • WSL2 (Microsoft‑provided kernel): Run wsl --update from PowerShell or Command Prompt to pull the latest WSL2 kernel. The updated kernel includes the patch.
  • Embedded and custom builds: Apply commit a1b2c3d4e5f6… from the linux‑wireless tree or the stable‑backported version corresponding to your kernel series.

For devices that cannot be updated immediately, several workarounds can reduce risk:

  • Disable the rtw89 module: sudo modprobe -r rtw89 (and reload it only after updating).
  • Use a USB Wi‑Fi adapter with a different chipset until the onboard adapter’s driver is patched.
  • Limit physical radio exposure: Turn off Wi‑Fi when not needed, or operate in enclosures that attenuate external signals.
  • Restrict access to sensitive areas where an attacker might position a rogue access point.

No workaround fully eliminates the vulnerability; the only comprehensive solution is to apply the kernel update.

Detecting Exploitation Attempts

System administrators can monitor for signs of attempted crashes. An unexpected kernel oops or reboot logged in /var/log/syslog or dmesg with a signature containing rtw89_rx_enqueue (the function that calls the vulnerable array index) may indicate an attack. Furthermore, a sudden spike in __ieee80211_rx_handle_packet warnings along with the kernel’s backtrace pointing to rtw89_core.c is a strong indicator.

Network monitoring tools that track Wi‑Fi management frames might detect abnormally high fragment numbers or malformed sequence control fields. However, because the attack requires only a single frame per target, signature‑based detection is challenging in busy wireless environments.

Long‑term Considerations

The rtw89 flaw is the latest in a series of 802.11 driver bugs that highlight the fragility of kernel‑level Wi‑Fi processing. Previous CVEs (e.g., CVE‑2021‑3491, Broadpwn) demonstrate that shifting frame parsing from kernel space to firmware or user space could reduce the attack surface. Realtek has been moving gradually toward an off‑load model where the firmware performs more validation, but the kernel drivers still handle many management frames.

Linux wireless maintainers are actively discussing the feasibility of moving 802.11 MLME (MAC Layer Management Entity) into userspace for all in‑tree drivers, following the model used by the mac80211_hwsim simulator. Such a change would drastically limit the impact of memory‑safety bugs in driver code. In the meantime, focused fuzzing campaigns and static analysis are likely to uncover more vulnerabilities.

Conclusion

CVE-2026-43213 is a textbook example of how a missing bounds check in a network driver can lead to a remotely triggerable denial‑of‑service. The fix is small, well‑understood, and already distributed by all major Linux vendors and Microsoft. System owners should apply the update on all endpoints that use Realtek 8852‑series Wi‑Fi adapters, including those inside WSL2 environments if USB‑IP or other passthrough is active.

For Windows enthusiasts running WSL2, the takeaway is clear: keep the WSL kernel updated via wsl --update, and verify that any custom kernel builds incorporate the latest upstream patches. The barrier between Windows and the Linux subsystem is not a security boundary if hardware is passed through unchecked. By staying current, you ensure that a simple Wi‑Fi frame from a nearby attacker cannot take down your development environment.