CVE-2026-23281 - Vulnerability Details

- wifi: libertas: fix use-after-free in lbs_free_adapter()

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: libertas: fix use-after-free in lbs_free_adapter()

The lbs_free_adapter() function uses timer_delete() (non-synchronous)
for both command_timer and tx_lockup_timer before the structure is
freed. This is incorrect because timer_delete() does not wait for
any running timer callback to complete.

If a timer callback is executing when lbs_free_adapter() is called,
the callback will access freed memory since lbs_cfg_free() frees the
containing structure immediately after lbs_free_adapter() returns.

Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)
access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,
which would all be use-after-free violations.

Use timer_delete_sync() instead to ensure any running timer callback
has completed before returning.

This bug was introduced in commit 8f641d93c38a ("libertas: detect TX
lockups and reset hardware") where del_timer() was used instead of
del_timer_sync() in the cleanup path. The command_timer has had the
same issue since the driver was first written.

Published: 2026-03-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an incorrect use of timer_delete() in the Linux kernel’s libertas WiFi driver. During adapter clean‑up, the driver deletes timers that may still be executing, causing the timer callback to run on memory that has already been freed. This results in use‑after‑free violations of several internal fields, potentially corrupting kernel memory, causing crashes, or enabling privilege escalation.

Affected Systems

All installations of the Linux kernel that include the libertas WiFi driver and have not applied the patch are affected. The flaw was introduced by commit 8f641d93c38a and has existed in all earlier kernel versions; the fix was merged after that commit. Users running kernels before the patch or custom builds that contain the unpatched driver code should verify whether they are vulnerable.

Risk and Exploitability

The EPSS score is reported as less than 1 %, indicating a low probability of widespread exploitation. The defect is not listed in CISA’s known exploited vulnerability catalog, and exploitation would require the victim to be running the affected driver while its timers are active during a teardown sequence. Consequently, the risk level is moderate to low, though any successful exploitation could elevate privileges or disrupt networking services. The likely attack vector involves a local user triggering a device teardown, making exploitation more limited in scope.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`954ee164f4f4598afc172c0ec3865d0352e55a0b`	affected	< b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4
`954ee164f4f4598afc172c0ec3865d0352e55a0b`	affected	< 09f3c30ab3b1371eaf9676a1b8add57bca763083
`954ee164f4f4598afc172c0ec3865d0352e55a0b`	affected	< 3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc
`954ee164f4f4598afc172c0ec3865d0352e55a0b`	affected	< 3c5c818c78b03a1725f3dcd566865c77b48dd3a6
`954ee164f4f4598afc172c0ec3865d0352e55a0b`	affected	< d0155fe68f31b339961cf2d4f92937d57e9384e6
`954ee164f4f4598afc172c0ec3865d0352e55a0b`	affected	< ed7d30f90b77f73a47498686ede83f622b7e4f0d
`954ee164f4f4598afc172c0ec3865d0352e55a0b`	affected	< a9f55b14486426d907459bced5825a25063bd922
`954ee164f4f4598afc172c0ec3865d0352e55a0b`	affected	< 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0

Linux

affected

Version	Status	Constraints
`2.6.24`	affected	—
`0`	unaffected	< 2.6.24
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[954ee164f4f4598afc172c0ec3865d0352e55a0b,3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc)`	affected	code_commit	—
`[954ee164f4f4598afc172c0ec3865d0352e55a0b,3c5c818c78b03a1725f3dcd566865c77b48dd3a6)`	affected	code_commit	—
`[954ee164f4f4598afc172c0ec3865d0352e55a0b,d0155fe68f31b339961cf2d4f92937d57e9384e6)`	affected	code_commit	—
`[954ee164f4f4598afc172c0ec3865d0352e55a0b,ed7d30f90b77f73a47498686ede83f622b7e4f0d)`	affected	code_commit	—
`[954ee164f4f4598afc172c0ec3865d0352e55a0b,a9f55b14486426d907459bced5825a25063bd922)`	affected	code_commit	—
`[954ee164f4f4598afc172c0ec3865d0352e55a0b,03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.24`	affected	semver	—
`[0,2.6.24)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the patch replacing timer_delete() with timer_delete_sync() in the libertas driver.
Verify that the running kernel uses the patched code, for example by checking the kernel version or reviewing driver logs.
If an upgrade is not possible, consider disabling or replacing the libertas WiFi driver until a patched kernel is available.

Generated by OpenCVE AI on March 26, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0
https://git.kernel.org/stable/c/09f3c30ab3b1371eaf9676a1b8add57bca763083
https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6
https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc
https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922
https://git.kernel.org/stable/c/b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4
https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6
https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d
https://lore.kernel.org/linux-cve-announce/2026032523-CVE-2026-23281-2e62@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23281
https://www.cve.org/CVERecord?id=CVE-2026-23281

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/09f3c30ab3b1371eaf9676a1b8add57bca763083 https://git.kernel.org/stable/c/b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119 CWE-416

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-821
References		https://lore.kernel.org/linux-cve-announce/2026032523-CVE-2026-23281-2e62@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23281 https://www.cve.org/CVERecord?id=CVE-2026-23281

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.
Title		wifi: libertas: fix use-after-free in lbs_free_adapter()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0 https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6 https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922 https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6 https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:41.844Z

Updated: 2026-04-18T08:57:36.792Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23281

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:22.657

Modified: 2026-04-18T09:16:16.350

Link: CVE-2026-23281

Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23281 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:50:21Z

Weaknesses

CWE-821

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object