CVE-2026-23444 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

ieee80211_tx_prepare_skb() has three error paths, but only two of them
free the skb. The first error path (ieee80211_tx_prepare() returning
TX_DROP) does not free it, while invoke_tx_handlers() failure and the
fragmentation check both do.

Add kfree_skb() to the first error path so all three are consistent,
and remove the now-redundant frees in callers (ath9k, mt76,
mac80211_hwsim) to avoid double-free.

Document the skb ownership guarantee in the function's kdoc.

Published: 2026-04-03

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the Linux mac80211 Wi‑Fi stack where the transmit preparation routine fails to free a socket buffer consistently on error. When the first failure path is taken, the buffer is never released, leaving a dangling reference; other paths free the buffer twice. This inconsistency can corrupt kernel memory or crash the system. An attacker who can trigger the error route with crafted frames could potentially cause arbitrary code execution in kernel context.

Affected Systems

All Linux kernels that have not yet applied the fix are affected, including standard distributions that ship the default kernel for x86_64, ARM, and other architectures. The fix removes this problem from drivers such as ath9k, mt76, and mac80211_hwsim. Systems using older kernels that still contain the bug will remain vulnerable until an updated kernel is installed.

Risk and Exploitability

No CVSS score or EPSS value is provided and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploits. Nevertheless, the bug involves kernel memory handling, so the risk is considered high if successfully exploited. The likely attack vector involves wireless traffic: an attacker would need to send specially crafted Wi‑Fi frames that trigger the transmit‑preparation error path, or potentially exploit a local user with privileges that can cause the driver to process frames.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`06be6b149f7e406bcf16098567f5a6c9f042bced`	affected	< 06e769dddcbeb3baf2ce346273b53dd61fdbecf4
`06be6b149f7e406bcf16098567f5a6c9f042bced`	affected	< 50f1b690b4868923fbd242298def2fb88662f108
`06be6b149f7e406bcf16098567f5a6c9f042bced`	affected	< d5ad6ab61cbd89afdb60881f6274f74328af3ee9

Linux

affected

Version	Status	Constraints
`3.13`	affected	—
`0`	unaffected	< 3.13
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[06be6b149f7e406bcf16098567f5a6c9f042bced,06e769dddcbeb3baf2ce346273b53dd61fdbecf4)`	affected	code_commit	—
`[06be6b149f7e406bcf16098567f5a6c9f042bced,50f1b690b4868923fbd242298def2fb88662f108)`	affected	code_commit	—
`[06be6b149f7e406bcf16098567f5a6c9f042bced,d5ad6ab61cbd89afdb60881f6274f74328af3ee9)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.13`	affected	generic	—
`[0,3.13)`	unaffected	generic	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a kernel version that includes the CVE-2026-23444 fix
Verify that the kernel version after the update reflects the patched code
Ensure that all embedded Wi‑Fi drivers are updated to the latest vendor release

Generated by OpenCVE AI on April 3, 2026 at 18:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4
https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108
https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9
https://lore.kernel.org/linux-cve-announce/2026040314-CVE-2026-23444-8169@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23444
https://www.cve.org/CVERecord?id=CVE-2026-23444

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026040314-CVE-2026-23444-8169@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23444 https://www.cve.org/CVERecord?id=CVE-2026-23444
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc.
Title		wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4 https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108 https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:28.464Z

Updated: 2026-04-03T15:15:28.464Z

Reserved: 2026-01-13T15:37:46.019Z

Link: CVE-2026-23444

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:28.810

Modified: 2026-04-03T16:16:28.810

Link: CVE-2026-23444

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23444 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:16:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object