HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Local Privilege Escalation in Realtek rtl819x Wi‑Fi Driver SDK (CVE‑2026‑36355) Threatens Embedded Linux Devices

A publicly disclosed exploit (CVE‑2026‑36355) bypasses capability checks in Realtek rtl819x Wi‑Fi driver SDK, allowing any unprivileged user on Linux 3.18‑based ARM devices to gain root. The flaw impacts telecom CPE, IoT gateways, and any third‑party service that ships with the driver, raising urgent TPRM concerns.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 exploit-db.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Local Privilege Escalation in Realtek rtl819x Wi‑Fi Driver SDK (CVE‑2026‑36355) Threatens Embedded Linux Devices

What Happened — A publicly‑available exploit (EDB‑52580) targets Realtek rtl819x out‑of‑tree Wi‑Fi driver SDK (versions through v3.4.14B). The flaw (CVE‑2026‑36355) bypasses capability checks on two ioctl commands, allowing any unprivileged user to read/write kernel memory and obtain root on Linux 3.18‑based ARM devices.

Why It Matters for TPRM

  • Devices that embed the rtl819x driver (e.g., 4G LTE CPE, IoT gateways, industrial routers) can be fully compromised by a low‑privilege attacker.
  • Compromise of a network edge device provides a foothold for lateral movement into corporate LANs and cloud back‑ends.
  • Many MSPs and telecom operators rely on these CPEs as part of their managed services, expanding the attack surface across multiple customers.

Who Is Affected — Telecommunications, IoT manufacturers, Managed Service Providers, and any organization deploying embedded Linux routers or LTE CPE that ship with the Realtek rtl819x driver SDK.

Recommended Actions

  • Inventory all hardware that uses Realtek rtl819x (or derivatives) and verify firmware version.
  • Apply vendor‑released patches or replace the driver with a patched build.
  • Enforce least‑privilege policies; restrict access to network interfaces for non‑admin users.
  • Conduct penetration testing of edge devices to confirm remediation.

Technical Notes — The exploit leverages missing capability checks on ioctl 0x89F5/0x89F6 (write_mem/read_mem). It auto‑detects task_struct offsets from init_task, works on ARMv7 Cortex‑A7 platforms without KASLR, and requires no prior root access. CVE‑2026‑36355 is assigned a CVSS v3.1 base score of 9.8 (Critical). Source: Exploit‑DB 52580

📰 Original Source
https://www.exploit-db.com/exploits/52580

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →