CVE-2026-23454 - Vulnerability Details

- net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown

Description

In the Linux kernel, the following vulnerability has been resolved:

net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown

A potential race condition exists in mana_hwc_destroy_channel() where
hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and
Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt
handler to dereference freed memory, leading to a use-after-free or
NULL pointer dereference in mana_hwc_handle_resp().

mana_smc_teardown_hwc() signals the hardware to stop but does not
synchronize against IRQ handlers already executing on other CPUs. The
IRQ synchronization only happens in mana_hwc_destroy_cq() via
mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs
after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler()
can dereference freed caller_ctx (and rxq->msg_buf) in
mana_hwc_handle_resp().

Fix this by reordering teardown to reverse-of-creation order: destroy
the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This
ensures all in-flight interrupt handlers complete before the memory they
access is freed.

Published: 2026-04-03

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in the Linux kernel’s HWC mana subsystem allows an in‑flight CQ interrupt handler to access freed memory. The bug causes a use‑after‑free or NULL pointer dereference in mana_hwc_handle_resp(), potentially corrupting kernel data structures.

Affected Systems

All Linux kernel builds that include the mana wireless HWC driver and have not applied the commit that reorders teardown are affected. The vulnerability applies to any system on which this driver is loaded, with no specific distribution or kernel version enumerated.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate severity. Exploitation requires a local attacker who can trigger the race condition by interacting with the HWC subsystem. The EPSS score is not available and the CVE is not listed in the KISA KEV catalog. The lack of a documented public exploit does not mitigate the inherent kernel memory corruption risk; it is inferred that a local attack vector would be required to exercise the vulnerability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f`	affected	< b88edf12fc3779521ae5f6f1584153b15f7da6df
`ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f`	affected	< e23bf444512cb85d76012080a76cd1f9e967448e
`ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f`	affected	< 249e905571583a434d4ea8d6f92ccc0eef337115
`ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f`	affected	< 2b001901f689021acd7bf2dceed74a1bdcaaa1f9
`ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f`	affected	< afdb1533eb9c05432aeb793a7280fa827c502f5c
`ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f`	affected	< 05d345719d85b927cba74afac4d5322de3aa4256
`ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f`	affected	< fa103fc8f56954a60699a29215cb713448a39e87

Linux

affected

Version	Status	Constraints
`5.13`	affected	—
`0`	unaffected	< 5.13
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,e23bf444512cb85d76012080a76cd1f9e967448e)`	affected	code_commit	—
`[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,249e905571583a434d4ea8d6f92ccc0eef337115)`	affected	code_commit	—
`[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,2b001901f689021acd7bf2dceed74a1bdcaaa1f9)`	affected	code_commit	—
`[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,afdb1533eb9c05432aeb793a7280fa827c502f5c)`	affected	code_commit	—
`[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,05d345719d85b927cba74afac4d5322de3aa4256)`	affected	code_commit	—
`[ca9c54d2d6a5ab2430c4eda364c77125d62e5e0f,fa103fc8f56954a60699a29215cb713448a39e87)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.13`	affected	generic	—
`[0,5.13)`	unaffected	generic	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the commit fixing the mana HWC teardown order.
If a full kernel update is not immediately possible, apply the patch from the kernel repository to the affected driver and reboot to load the patched code.
Confirm the kernel version or patch status after updating to verify the vulnerability has been mitigated.

Generated by OpenCVE AI on April 4, 2026 at 04:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/05d345719d85b927cba74afac4d5322de3aa4256
https://git.kernel.org/stable/c/249e905571583a434d4ea8d6f92ccc0eef337115
https://git.kernel.org/stable/c/2b001901f689021acd7bf2dceed74a1bdcaaa1f9
https://git.kernel.org/stable/c/afdb1533eb9c05432aeb793a7280fa827c502f5c
https://git.kernel.org/stable/c/b88edf12fc3779521ae5f6f1584153b15f7da6df
https://git.kernel.org/stable/c/e23bf444512cb85d76012080a76cd1f9e967448e
https://git.kernel.org/stable/c/fa103fc8f56954a60699a29215cb713448a39e87
https://lore.kernel.org/linux-cve-announce/2026040317-CVE-2026-23454-a999@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23454
https://www.cve.org/CVERecord?id=CVE-2026-23454

History

Sat, 18 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/b88edf12fc3779521ae5f6f1584153b15f7da6df

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026040317-CVE-2026-23454-a999@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23454 https://www.cve.org/CVERecord?id=CVE-2026-23454
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown A potential race condition exists in mana_hwc_destroy_channel() where hwc->caller_ctx is freed before the HWC's Completion Queue (CQ) and Event Queue (EQ) are destroyed. This allows an in-flight CQ interrupt handler to dereference freed memory, leading to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp(). mana_smc_teardown_hwc() signals the hardware to stop but does not synchronize against IRQ handlers already executing on other CPUs. The IRQ synchronization only happens in mana_hwc_destroy_cq() via mana_gd_destroy_eq() -> mana_gd_deregister_irq(). Since this runs after kfree(hwc->caller_ctx), a concurrent mana_hwc_rx_event_handler() can dereference freed caller_ctx (and rxq->msg_buf) in mana_hwc_handle_resp(). Fix this by reordering teardown to reverse-of-creation order: destroy the TX/RX work queues and CQ/EQ before freeing hwc->caller_ctx. This ensures all in-flight interrupt handlers complete before the memory they access is freed.
Title		net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/05d345719d85b927cba74afac4d5322de3aa4256 https://git.kernel.org/stable/c/249e905571583a434d4ea8d6f92ccc0eef337115 https://git.kernel.org/stable/c/2b001901f689021acd7bf2dceed74a1bdcaaa1f9 https://git.kernel.org/stable/c/afdb1533eb9c05432aeb793a7280fa827c502f5c https://git.kernel.org/stable/c/e23bf444512cb85d76012080a76cd1f9e967448e https://git.kernel.org/stable/c/fa103fc8f56954a60699a29215cb713448a39e87

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:36.189Z

Updated: 2026-04-18T08:59:02.761Z

Reserved: 2026-01-13T15:37:46.020Z

Link: CVE-2026-23454

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:31.947

Modified: 2026-04-18T09:16:27.837

Link: CVE-2026-23454

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23454 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-07T07:17:25Z

Weaknesses

CWE-825

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object