Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: libertas: fix use-after-free in lbs_free_adapter()

The lbs_free_adapter() function uses timer_delete() (non-synchronous)
for both command_timer and tx_lockup_timer before the structure is
freed. This is incorrect because timer_delete() does not wait for
any running timer callback to complete.

If a timer callback is executing when lbs_free_adapter() is called,
the callback will access freed memory since lbs_cfg_free() frees the
containing structure immediately after lbs_free_adapter() returns.

Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)
access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,
which would all be use-after-free violations.

Use timer_delete_sync() instead to ensure any running timer callback
has completed before returning.

This bug was introduced in commit 8f641d93c38a ("libertas: detect TX
lockups and reset hardware") where del_timer() was used instead of
del_timer_sync() in the cleanup path. The command_timer has had the
same issue since the driver was first written.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an incorrect use of timer_delete() in the Linux kernel’s libertas WiFi driver. During adapter clean‑up, the driver deletes timers that may still be executing, causing the timer callback to run on memory that has already been freed. This results in use‑after‑free violations of several internal fields, potentially corrupting kernel memory, causing crashes, or instability.

Affected Systems

All installations of the Linux kernel that include the libertas WiFi driver and have not applied the patch are affected. The flaw was introduced by commit 8f641d93c38a and has existed in all earlier kernel versions; the fix was merged after that commit. Users running kernels before the patch or custom builds that contain the unpatched driver code should verify whether they are vulnerable.

Risk and Exploitability

The CVSS score of 7.8 reflects a high severity, while the EPSS score is reported as less than 1 %, indicating a low probability of widespread exploitation. The defect is not listed in CISA’s known exploited vulnerability catalog. Exploitation would require the victim to be running the affected driver while its timers are active during a teardown sequence. Consequently, the risk level is moderate to low, though any successful exploitation could cause kernel crashes or instability. Potential privilege escalation is inferred due to the nature of the use‑after‑free in kernel space, but no confirmed exploitation path is documented. The likely attack vector involves a local user triggering a device teardown, limiting the exploitation scope.

Generated by OpenCVE AI on May 22, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the patch replacing timer_delete() with timer_delete_sync() in the libertas driver.
  • If an upgrade is not possible, disable or replace the libertas WiFi driver until a patched kernel is available.
  • Ensure that systems without WiFi hardware have the libertas module excluded from boot or module loading configuration to avoid accidental exposure.

Generated by OpenCVE AI on May 22, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 22 May 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.
Title wifi: libertas: fix use-after-free in lbs_free_adapter()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:03:49.865Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23281

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:22.657

Modified: 2026-05-22T00:31:53.367

Link: CVE-2026-23281

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23281 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:00:14Z

Weaknesses