CVE-2026-23444 - Vulnerability Details

- wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

ieee80211_tx_prepare_skb() has three error paths, but only two of them
free the skb. The first error path (ieee80211_tx_prepare() returning
TX_DROP) does not free it, while invoke_tx_handlers() failure and the
fragmentation check both do.

Add kfree_skb() to the first error path so all three are consistent,
and remove the now-redundant frees in callers (ath9k, mt76,
mac80211_hwsim) to avoid double-free.

Document the skb ownership guarantee in the function's kdoc.

Published: 2026-04-03

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kernel function ieee80211_tx_prepare_skb() inconsistently frees the network buffer across its error paths, creating an opportunity for a double‑free. This memory corruption can cause a kernel panic or crash, disrupting availability and compromising system stability.

Affected Systems

The vulnerability affects the Linux kernel’s mac80211 Wi‑Fi stack, including drivers such as ath9k, mt76, and mac80211_hwsim. All kernel releases before the applied fix are potentially impacted; no specific versions were listed.

Risk and Exploitability

With a CVSS score of 5.5 and an EPSS probability under 1%, the likelihood of exploitation is considered low, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is inferred to be local or remote via a crafted Wi‑Fi transmission that triggers the erroneous return path, potentially leading to a double‑free scenario and kernel instability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`06be6b149f7e406bcf16098567f5a6c9f042bced`	affected	< 06e769dddcbeb3baf2ce346273b53dd61fdbecf4
`06be6b149f7e406bcf16098567f5a6c9f042bced`	affected	< 50f1b690b4868923fbd242298def2fb88662f108
`06be6b149f7e406bcf16098567f5a6c9f042bced`	affected	< d5ad6ab61cbd89afdb60881f6274f74328af3ee9

Linux

affected

Version	Status	Constraints
`3.13`	affected	—
`0`	unaffected	< 3.13
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:3.13:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[06be6b149f7e406bcf16098567f5a6c9f042bced,06e769dddcbeb3baf2ce346273b53dd61fdbecf4)`	affected	code_commit	—
`[06be6b149f7e406bcf16098567f5a6c9f042bced,50f1b690b4868923fbd242298def2fb88662f108)`	affected	code_commit	—
`[06be6b149f7e406bcf16098567f5a6c9f042bced,d5ad6ab61cbd89afdb60881f6274f74328af3ee9)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.13`	affected	generic	—
`[0,3.13)`	unaffected	generic	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that incorporates the skb free correction.
If an update cannot be applied immediately, disable the WiFi subsystem or corresponding drivers until a patch is available.

Generated by OpenCVE AI on April 7, 2026 at 09:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4
https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108
https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9
https://lore.kernel.org/linux-cve-announce/2026040314-CVE-2026-23444-8169@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23444
https://www.cve.org/CVERecord?id=CVE-2026-23444

History

Thu, 23 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:3.13:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-415

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1341
References		https://lore.kernel.org/linux-cve-announce/2026040314-CVE-2026-23444-8169@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23444 https://www.cve.org/CVERecord?id=CVE-2026-23444
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc.
Title		wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4 https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108 https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:28.464Z

Updated: 2026-04-13T06:07:34.818Z

Reserved: 2026-01-13T15:37:46.019Z

Link: CVE-2026-23444

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-03T16:16:28.810

Modified: 2026-04-23T20:58:42.750

Link: CVE-2026-23444

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23444 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:53:57Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object