{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54036", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-24T10:53:46.180Z", "datePublished": "2025-12-24T10:56:03.215Z", "dateUpdated": "2025-12-24T10:56:03.215Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-24T10:56:03.215Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU\n\nThe wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)\nwhen it's connected to a bluetooth audio device. The busy bluetooth\ntraffic generates lots of C2H (card to host) messages, which are not\nfreed correctly.\n\nTo fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()\ninside the loop where skb_dequeue() is called.\n\nThe RTL8192EU leaks memory because the C2H messages are added to the\nqueue and left there forever. (This was fine in the past because it\nprobably wasn't sending any C2H messages until commit e542e66b7c2e\n(\"wifi: rtl8xxxu: gen2: Turn on the rate control\"). Since that commit\nit sends a C2H message when the TX rate changes.)\n\nTo fix this, delete the check for rf_paths > 1 and the goto. Let the\nfunction process the C2H messages from RTL8192EU like the ones from\nthe other chips.\n\nTheoretically the RTL8188FU could also leak like RTL8723BU, but it\nmost likely doesn't send C2H messages frequently enough.\n\nThis change was tested with RTL8723BU by Erhard F. I tested it with\nRTL8188FU and RTL8192EU."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c"], "versions": [{"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819", "lessThan": "430f9f9bec53a75f9ccc53e156a66f13fc098b83", "status": "affected", "versionType": "git"}, {"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819", "lessThan": "35fb0e275af1aa1ca0a9784417e90f988aaf8e78", "status": "affected", "versionType": "git"}, {"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819", "lessThan": "93c3f34ec02fc81188d328287d4fddd498ccddea", "status": "affected", "versionType": "git"}, {"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819", "lessThan": "f39a86b4efd270947ee252cc32a30b0aef492d65", "status": "affected", "versionType": "git"}, {"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819", "lessThan": "b39f662ce1648db0b9de32e6a849b098480793cb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c"], "versions": [{"version": "5.5", "status": "affected"}, {"version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.173", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.99", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.16", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.3", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.173"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.15.99"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.1.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.2.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83"}, {"url": "https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78"}, {"url": "https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea"}, {"url": "https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65"}, {"url": "https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb"}], "title": "wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU\n\nThe wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)\nwhen it's connected to a bluetooth audio device. The busy bluetooth\ntraffic generates lots of C2H (card to host) messages, which are not\nfreed correctly.\n\nTo fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()\ninside the loop where skb_dequeue() is called.\n\nThe RTL8192EU leaks memory because the C2H messages are added to the\nqueue and left there forever. (This was fine in the past because it\nprobably wasn't sending any C2H messages until commit e542e66b7c2e\n(\"wifi: rtl8xxxu: gen2: Turn on the rate control\"). Since that commit\nit sends a C2H message when the TX rate changes.)\n\nTo fix this, delete the check for rf_paths > 1 and the goto. Let the\nfunction process the C2H messages from RTL8192EU like the ones from\nthe other chips.\n\nTheoretically the RTL8188FU could also leak like RTL8723BU, but it\nmost likely doesn't send C2H messages frequently enough.\n\nThis change was tested with RTL8723BU by Erhard F. I tested it with\nRTL8188FU and RTL8192EU."}], "id": "CVE-2023-54036", "lastModified": "2025-12-24T11:15:56.593", "metrics": {}, "published": "2025-12-24T11:15:56.593", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}