Local Privilege Escalation in Realtek rtl819x Wi‑Fi Driver SDK (CVE‑2026‑36355) Threatens Embedded Linux Devices
What Happened — A publicly‑available exploit (EDB‑52580) targets Realtek rtl819x out‑of‑tree Wi‑Fi driver SDK (versions through v3.4.14B). The flaw (CVE‑2026‑36355) bypasses capability checks on two ioctl commands, allowing any unprivileged user to read/write kernel memory and obtain root on Linux 3.18‑based ARM devices.
Why It Matters for TPRM —
- Devices that embed the rtl819x driver (e.g., 4G LTE CPE, IoT gateways, industrial routers) can be fully compromised by a low‑privilege attacker.
- Compromise of a network edge device provides a foothold for lateral movement into corporate LANs and cloud back‑ends.
- Many MSPs and telecom operators rely on these CPEs as part of their managed services, expanding the attack surface across multiple customers.
Who Is Affected — Telecommunications, IoT manufacturers, Managed Service Providers, and any organization deploying embedded Linux routers or LTE CPE that ship with the Realtek rtl819x driver SDK.
Recommended Actions —
- Inventory all hardware that uses Realtek rtl819x (or derivatives) and verify firmware version.
- Apply vendor‑released patches or replace the driver with a patched build.
- Enforce least‑privilege policies; restrict access to network interfaces for non‑admin users.
- Conduct penetration testing of edge devices to confirm remediation.
Technical Notes — The exploit leverages missing capability checks on ioctl 0x89F5/0x89F6 (write_mem/read_mem). It auto‑detects task_struct offsets from init_task, works on ARMv7 Cortex‑A7 platforms without KASLR, and requires no prior root access. CVE‑2026‑36355 is assigned a CVSS v3.1 base score of 9.8 (Critical). Source: Exploit‑DB 52580