CVE-2026-23281

HIGH EPSS 2.6%
Published Mar 25, 20263mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Mar 25, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥2.6.24  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.17
linuxlinux_kernel*≥6.19  –  <6.19.7
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/09f3c30ab3b1371eaf9676a1b8add57bca763083
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/09f3c30ab3b1371eaf9676a1b8add57bca763083
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d
    Patch