Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mld: cancel mlo_scan_start_wk

mlo_scan_start_wk is not canceled on disconnection. In fact, it is not
canceled anywhere except in the restart cleanup, where we don't really
have to.

This can cause an init-after-queue issue: if, for example, the work was
queued and then drv_change_interface got executed.

This can also cause use-after-free: if the work is executed after the
vif is freed.
Published: 2026-02-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free that can lead to kernel memory corruption and potential denial‑of‑service
Action: Immediate patch
AI Analysis

Impact

The iwlwifi driver contains a flaw where the work queue task mlo_scan_start_wk is not properly cancelled when a Wi‑Fi interface disconnects. This oversight can cause an init‑after‑queue condition and, if the work is executed after the corresponding virtual interface has been freed, a use‑after‑free error. The resulting memory corruption could allow a malicious actor to corrupt kernel data structures, leading to denial‑of‑service.

Affected Systems

All Linux kernel versions that include the buggy iwlwifi code are affected, specifically the 6.19 release candidates from rc1 through rc8 as enumerated in the Common Platform Enumeration strings. Any installation using one of these kernel images without the corresponding patch is vulnerable, regardless of distribution.

Risk and Exploitability

The vulnerability has a CVSS score of 7.8, indicating high severity, but the EPSS score is reported as less than 1 %, suggesting a low probability of exploitation at the time of analysis. It is not listed in the CISA KEV catalog. Exploitation would require an attacker to trigger the problematic work queue, likely through manipulated wireless traffic or by forcing a disconnect of the affected interface, and is therefore considered an attack vector involving either local or network‑based conditions.

Generated by OpenCVE AI on April 16, 2026 at 00:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the iwlwifi mlo_scan_start_wk patch (e.g., kernel 6.19 rc9 or later)
  • If a kernel upgrade is not immediately possible, unload or disable the iwlwifi driver to prevent the vulnerable work queue from executing
  • Apply any vendor‑specific backported patch that addresses the iwlwifi use‑after‑free if your distribution provides one

Generated by OpenCVE AI on April 16, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_scan_start_wk mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to. This can cause an init-after-queue issue: if, for example, the work was queued and then drv_change_interface got executed. This can also cause use-after-free: if the work is executed after the vif is freed.
Title wifi: iwlwifi: mld: cancel mlo_scan_start_wk
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:32:22.122Z

Reserved: 2026-01-13T15:37:45.984Z

Link: CVE-2026-23185

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-14T17:15:56.273

Modified: 2026-04-03T14:16:26.243

Link: CVE-2026-23185

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23185 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:45:15Z

Weaknesses