{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/rtl8192e/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-36355"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rtl819x Jungle SDK","rtl8192c","rtl8192d","rtl8192e","rtl8188e","rtl8812","rtl8881a","rtl8197f"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","realtek","linux"],"_cs_type":"advisory","_cs_vendors":["Realtek","Qualcomm"],"content_html":"\u003cp\u003eA local privilege escalation vulnerability (CVE-2026-36355) has been identified in the Realtek rtl819x Jungle SDK, affecting devices using the out-of-tree WiFi driver SDK. The vulnerability stems from missing capability checks on ioctl commands 0x89F5 (write_mem) and 0x89F6 (read_mem), allowing any unprivileged user to read and write kernel memory. An exploit (EDB-52580) has been published, demonstrating successful privilege escalation on Linux 3.18.48, ARMv7 Cortex-A7, Qualcomm MDM9607, and rtl8192es.ko. This vulnerability affects a wide range of Realtek chips, including RTL8192C/D/E, RTL8188E, RTL8812, RTL8881A, and RTL8197F. The availability of a working exploit significantly increases the risk to vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unprivileged user executes the kpwn exploit binary.\u003c/li\u003e\n\u003cli\u003eThe exploit identifies a vulnerable Realtek rtl819x wireless interface.\u003c/li\u003e\n\u003cli\u003eThe exploit scans kernel memory to locate the \u003ccode\u003einit_task\u003c/code\u003e structure.\u003c/li\u003e\n\u003cli\u003eThe exploit auto-detects the offsets for \u003ccode\u003etasks\u003c/code\u003e, \u003ccode\u003epid\u003c/code\u003e, \u003ccode\u003ecred\u003c/code\u003e, and \u003ccode\u003ecomm\u003c/code\u003e within the \u003ccode\u003etask_struct\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe exploit walks the task list to find the current process\u0026rsquo;s \u003ccode\u003etask_struct\u003c/code\u003e using its PID.\u003c/li\u003e\n\u003cli\u003eThe exploit reads the current user\u0026rsquo;s credentials from the kernel memory.\u003c/li\u003e\n\u003cli\u003eThe exploit overwrites the user\u0026rsquo;s credentials in kernel memory, setting UID and GID to 0.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s privileges are escalated to root, granting full system access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unprivileged local user to gain full root privileges on the affected system. This can lead to complete system compromise, including data theft, modification, and destruction, as well as the installation of malware and backdoors. The wide range of affected Realtek chips means numerous embedded devices and IoT devices are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or mitigations from Realtek to address CVE-2026-36355 on affected rtl819x based devices.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of the \u003ccode\u003ekpwn\u003c/code\u003e exploit binary on Linux systems using process creation logs, and deploy the Sigma rule \u0026ldquo;Detect Realtek KPwn Exploit Execution\u0026rdquo; to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and limit access to wireless interfaces to authorized users only.\u003c/li\u003e\n\u003cli\u003eEnable logging for ioctl calls on Realtek wireless interfaces to detect attempts to use IOCTL_WRITE (0x89F5) and IOCTL_READ (0x89F6) with unexpected parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T12:51:08Z","date_published":"2026-05-27T12:51:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-realtek-lpe/","summary":"A local privilege escalation vulnerability exists in Realtek rtl819x Jungle SDK due to missing capability checks on ioctl commands, allowing unprivileged users to gain root privileges on affected Linux systems.","title":"Realtek rtl819x Local Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-realtek-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — Rtl8192e","version":"https://jsonfeed.org/version/1.1"}