{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23281", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.992Z", "datePublished": "2026-03-25T10:26:41.844Z", "dateUpdated": "2026-05-11T22:03:49.865Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:49.865Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix use-after-free in lbs_free_adapter()\n\nThe lbs_free_adapter() function uses timer_delete() (non-synchronous)\nfor both command_timer and tx_lockup_timer before the structure is\nfreed. This is incorrect because timer_delete() does not wait for\nany running timer callback to complete.\n\nIf a timer callback is executing when lbs_free_adapter() is called,\nthe callback will access freed memory since lbs_cfg_free() frees the\ncontaining structure immediately after lbs_free_adapter() returns.\n\nBoth timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)\naccess priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,\nwhich would all be use-after-free violations.\n\nUse timer_delete_sync() instead to ensure any running timer callback\nhas completed before returning.\n\nThis bug was introduced in commit 8f641d93c38a (\"libertas: detect TX\nlockups and reset hardware\") where del_timer() was used instead of\ndel_timer_sync() in the cleanup path. The command_timer has had the\nsame issue since the driver was first written."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/marvell/libertas/main.c"], "versions": [{"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b", "lessThan": "b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4", "status": "affected", "versionType": "git"}, {"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b", "lessThan": "09f3c30ab3b1371eaf9676a1b8add57bca763083", "status": "affected", "versionType": "git"}, {"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b", "lessThan": "3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc", "status": "affected", "versionType": "git"}, {"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b", "lessThan": "3c5c818c78b03a1725f3dcd566865c77b48dd3a6", "status": "affected", "versionType": "git"}, {"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b", "lessThan": "d0155fe68f31b339961cf2d4f92937d57e9384e6", "status": "affected", "versionType": "git"}, {"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b", "lessThan": "ed7d30f90b77f73a47498686ede83f622b7e4f0d", "status": "affected", "versionType": "git"}, {"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b", "lessThan": "a9f55b14486426d907459bced5825a25063bd922", "status": "affected", "versionType": "git"}, {"version": "954ee164f4f4598afc172c0ec3865d0352e55a0b", "lessThan": "03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/marvell/libertas/main.c"], "versions": [{"version": "2.6.24", "status": "affected"}, {"version": "0", "lessThan": "2.6.24", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.24", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4"}, {"url": "https://git.kernel.org/stable/c/09f3c30ab3b1371eaf9676a1b8add57bca763083"}, {"url": "https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc"}, {"url": "https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6"}, {"url": "https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6"}, {"url": "https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d"}, {"url": "https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922"}, {"url": "https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0"}], "title": "wifi: libertas: fix use-after-free in lbs_free_adapter()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix use-after-free in lbs_free_adapter()\n\nThe lbs_free_adapter() function uses timer_delete() (non-synchronous)\nfor both command_timer and tx_lockup_timer before the structure is\nfreed. This is incorrect because timer_delete() does not wait for\nany running timer callback to complete.\n\nIf a timer callback is executing when lbs_free_adapter() is called,\nthe callback will access freed memory since lbs_cfg_free() frees the\ncontaining structure immediately after lbs_free_adapter() returns.\n\nBoth timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)\naccess priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,\nwhich would all be use-after-free violations.\n\nUse timer_delete_sync() instead to ensure any running timer callback\nhas completed before returning.\n\nThis bug was introduced in commit 8f641d93c38a (\"libertas: detect TX\nlockups and reset hardware\") where del_timer() was used instead of\ndel_timer_sync() in the cleanup path. The command_timer has had the\nsame issue since the driver was first written."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: libertas: corregir uso despu\u00e9s de liberaci\u00f3n en lbs_free_adapter()\n\nLa funci\u00f3n lbs_free_adapter() usa timer_delete() (no s\u00edncrono) para command_timer y tx_lockup_timer antes de que la estructura sea liberada. Esto es incorrecto porque timer_delete() no espera a que ninguna devoluci\u00f3n de llamada de temporizador en ejecuci\u00f3n se complete.\n\nSi una devoluci\u00f3n de llamada de temporizador se est\u00e1 ejecutando cuando se llama a lbs_free_adapter(), la devoluci\u00f3n de llamada acceder\u00e1 a memoria liberada ya que lbs_cfg_free() libera la estructura contenedora inmediatamente despu\u00e9s de que lbs_free_adapter() retorna.\n\nAmbas devoluciones de llamada de temporizador (lbs_cmd_timeout_handler y lbs_tx_lockup_handler) acceden a priv->driver_lock, priv->cur_cmd, priv->dev y otros campos, lo que ser\u00edan todas violaciones de uso despu\u00e9s de liberaci\u00f3n.\n\nUsar timer_delete_sync() en su lugar para asegurar que cualquier devoluci\u00f3n de llamada de temporizador en ejecuci\u00f3n se haya completado antes de retornar.\n\nEste error fue introducido en el commit 8f641d93c38a ('libertas: detectar bloqueos de TX y reiniciar hardware') donde se us\u00f3 del_timer() en lugar de del_timer_sync() en la ruta de limpieza. El command_timer ha tenido el mismo problema desde que el controlador fue escrito por primera vez."}], "id": "CVE-2026-23281", "lastModified": "2026-04-18T09:16:16.350", "metrics": {}, "published": "2026-03-25T11:16:22.657", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/09f3c30ab3b1371eaf9676a1b8add57bca763083"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: wifi: libertas: fix use-after-free in lbs_free_adapter()", "id": "2451239", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451239"}, "csaw": false, "cwe": "CWE-821", "details": ["A flaw was found in the Linux kernel's Marvell Libertas Wi-Fi driver. This vulnerability, a use-after-free, occurs because the system does not properly synchronize the freeing of memory with ongoing timer operations. If a timer attempts to access resources after they have been released, it can lead to system instability or crashes. In some scenarios, this type of flaw could potentially be exploited by an attacker to execute unauthorized code."], "name": "CVE-2026-23281", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23281\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23281\nhttps://lore.kernel.org/linux-cve-announce/2026032523-CVE-2026-23281-2e62@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[954ee164f4f4598afc172c0ec3865d0352e55a0b,3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[954ee164f4f4598afc172c0ec3865d0352e55a0b,3c5c818c78b03a1725f3dcd566865c77b48dd3a6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[954ee164f4f4598afc172c0ec3865d0352e55a0b,d0155fe68f31b339961cf2d4f92937d57e9384e6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[954ee164f4f4598afc172c0ec3865d0352e55a0b,ed7d30f90b77f73a47498686ede83f622b7e4f0d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[954ee164f4f4598afc172c0ec3865d0352e55a0b,a9f55b14486426d907459bced5825a25063bd922)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[954ee164f4f4598afc172c0ec3865d0352e55a0b,03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.24"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.24)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:28:13.237912+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that contains the patch replacing timer_delete() with timer_delete_sync() in the libertas driver.", "Verify that the running kernel uses the patched code, for example by checking the kernel version or reviewing driver logs.", "If an upgrade is not possible, consider disabling or replacing the libertas WiFi driver until a patched kernel is available."], "summary": {"action": "Immediate update", "impact": "Use\u2011after\u2011free in Linux kernel WiFi driver"}, "threat_synthesis": {"affected_systems": "All installations of the Linux kernel that include the libertas WiFi driver and have not applied the patch are affected. The flaw was introduced by commit 8f641d93c38a and has existed in all earlier kernel versions; the fix was merged after that commit. Users running kernels before the patch or custom builds that contain the unpatched driver code should verify whether they are vulnerable.", "description_and_impact": "The vulnerability arises from an incorrect use of timer_delete() in the Linux kernel\u2019s libertas WiFi driver. During adapter clean\u2011up, the driver deletes timers that may still be executing, causing the timer callback to run on memory that has already been freed. This results in use\u2011after\u2011free violations of several internal fields, potentially corrupting kernel memory, causing crashes, or enabling privilege escalation.", "risk_and_exploitability": "The EPSS score is reported as less than 1\u202f%, indicating a low probability of widespread exploitation. The defect is not listed in CISA\u2019s known exploited vulnerability catalog, and exploitation would require the victim to be running the affected driver while its timers are active during a teardown sequence. Consequently, the risk level is moderate to low, though any successful exploitation could elevate privileges or disrupt networking services. The likely attack vector involves a local user triggering a device teardown, making exploitation more limited in scope."}}}}, "created": "2026-03-25T21:15:49.305277+00:00", "updated": "2026-03-27T09:50:21.460347+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}