{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2021-47065", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-29T22:33:44.296Z", "datePublished": "2024-02-29T22:37:39.135Z", "dateUpdated": "2026-05-11T13:47:24.099Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T13:47:24.099Z" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtw88: Fix array overrun in rtw_get_tx_power_params()\n\nUsing a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the\nfollowing array overrun is logged:\n\n================================================================================\nUBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34\nindex 5 is out of range for type 'u8 [5]'\nCPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651\nHardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014\nWorkqueue: phy0 ieee80211_scan_work [mac80211]\nCall Trace:\n dump_stack+0x64/0x7c\n ubsan_epilogue+0x5/0x40\n __ubsan_handle_out_of_bounds.cold+0x43/0x48\n rtw_get_tx_power_params+0x83a/drivers/net/wireless/realtek/rtw88/0xad0 [rtw_core]\n ? rtw_pci_read16+0x20/0x20 [rtw_pci]\n ? check_hw_ready+0x50/0x90 [rtw_core]\n rtw_phy_get_tx_power_index+0x4d/0xd0 [rtw_core]\n rtw_phy_set_tx_power_level+0xee/0x1b0 [rtw_core]\n rtw_set_channel+0xab/0x110 [rtw_core]\n rtw_ops_config+0x87/0xc0 [rtw_core]\n ieee80211_hw_config+0x9d/0x130 [mac80211]\n ieee80211_scan_state_set_channel+0x81/0x170 [mac80211]\n ieee80211_scan_work+0x19f/0x2a0 [mac80211]\n process_one_work+0x1dd/0x3a0\n worker_thread+0x49/0x330\n ? rescuer_thread+0x3a0/0x3a0\n kthread+0x134/0x150\n ? kthread_create_worker_on_cpu+0x70/0x70\n ret_from_fork+0x22/0x30\n================================================================================\n\nThe statement where an array is being overrun is shown in the following snippet:\n\n\tif (rate <= DESC_RATE11M)\n\t\ttx_power = pwr_idx_2g->cck_base[group];\n\telse\n====>\t\ttx_power = pwr_idx_2g->bw40_base[group];\n\nThe associated arrays are defined in main.h as follows:\n\nstruct rtw_2g_txpwr_idx {\n\tu8 cck_base[6];\n\tu8 bw40_base[5];\n\tstruct rtw_2g_1s_pwr_idx_diff ht_1s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_2s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_3s_diff;\n\tstruct rtw_2g_ns_pwr_idx_diff ht_4s_diff;\n};\n\nThe problem arises because the value of group is 5 for channel 14. The trivial\nincrease in the dimension of bw40_base fails as this struct must match the layout of\nefuse. The fix is to add the rate as an argument to rtw_get_channel_group() and set\nthe group for channel 14 to 4 if rate <= DESC_RATE11M.\n\nThis patch fixes commit fa6dfe6bff24 (\"rtw88: resolve order of tx power setting routines\")" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/net/wireless/realtek/rtw88/phy.c" ], "versions": [ { "version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb", "status": "affected", "versionType": "git" }, { "version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "95fb153c6027924cda3422120169d1890737f3a0", "status": "affected", "versionType": "git" }, { "version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a", "status": "affected", "versionType": "git" }, { "version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "9cd09722e18a08b6a3d68b8bccfac39ddc22434c", "status": "affected", "versionType": "git" }, { "version": "fa6dfe6bff246ddd5be3cfe81637f137acd6c294", "lessThan": "2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "drivers/net/wireless/realtek/rtw88/phy.c" ], "versions": [ { "version": "5.3", "status": "affected" }, { "version": "0", "lessThan": "5.3", "status": "unaffected", "versionType": "semver" }, { "version": "5.4.119", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.37", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.11.21", "lessThanOrEqual": "5.11.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.12.4", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.4.119" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.10.37" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.11.21" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.12.4" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndExcluding": "5.13" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb" }, { "url": "https://git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0" }, { "url": "https://git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a" }, { "url": "https://git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c" }, { "url": "https://git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e" } ], "title": "rtw88: Fix array overrun in rtw_get_tx_power_params()", "x_generator": { "engine": "bippy-1.2.0" } }, "adp": [ { "title": "CISA ADP Vulnrichment", "metrics": [ { "other": { "type": "ssvc", "content": { "id": "CVE-2021-47065", "role": "CISA Coordinator", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "version": "2.0.3", "timestamp": "2024-03-06T19:40:45.781001Z" } } } ], "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:13:26.150Z" } }, { "providerMetadata": { "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:24:39.558Z" }, "title": "CVE Program Container", "references": [ { "url": "https://git.kernel.org/stable/c/6b5aa0cf321c25f41e09a61c83ee4dc7ab9549cb", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/95fb153c6027924cda3422120169d1890737f3a0", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/5f3dbced8eaa5c9ed7d6943f3fea99f235a6516a", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/9cd09722e18a08b6a3d68b8bccfac39ddc22434c", "tags": [ "x_transferred" ] }, { "url": "https://git.kernel.org/stable/c/2ff25985ea9ccc6c9af2c77b0b49045adcc62e0e", "tags": [ "x_transferred" ] } ] } ] } }