Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()

The mwifiex_adapter_cleanup() function uses timer_delete()
(non-synchronous) for the wakeup_timer before the adapter structure is
freed. This is incorrect because timer_delete() does not wait for any
running timer callback to complete.

If the wakeup_timer callback (wakeup_timer_fn) is executing when
mwifiex_adapter_cleanup() is called, the callback will continue to
access adapter fields (adapter->hw_status, adapter->if_ops.card_reset,
etc.) which may be freed by mwifiex_free_adapter() called later in the
mwifiex_remove_card() path.

Use timer_delete_sync() instead to ensure any running timer callback has
completed before returning.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic use‑after‑free condition in the mwifiex adapter cleanup routine: a timer callback can run concurrently with the adapter’s deallocation, causing freed memory reads that may be exploited to hijack execution or corrupt kernel state. The flaw permits a local attacker with the ability to manipulate Wi‑Fi drivers to execute arbitrary code or crash the system, potentially leading to privilege escalation or denial of service.

Affected Systems

Any Linux distribution that ships the mwifiex Wi‑Fi driver in the kernel, i.e. the generic Linux kernel for all platforms. No specific version range is listed, so all current kernel releases that have not yet applied the kernel commit referenced in the CVE are vulnerable.

Risk and Exploitability

The CVSS score is not listed and no EPSS value is available, but the use‑after‑free nature and lack of remote trigger suggest a high severity local vulnerability. An attacker would need local access and the ability to load or control the mwifiex driver, which is typical for privileged users or malware running with file‑system access. The vulnerability is not recorded in the CISA KEV catalog.

Generated by OpenCVE AI on May 27, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the mwifiex commit applying timer_delete_sync() in mwifiex_adapter_cleanup().
  • If a kernel update is not immediately possible, disable the mwifiex driver or block access to the device via udev rules or systemd services.
  • Verify that no older kernel images remain bootable on the system, and ensure the boot loader defaults to the updated kernel.

Generated by OpenCVE AI on May 27, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() The mwifiex_adapter_cleanup() function uses timer_delete() (non-synchronous) for the wakeup_timer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If the wakeup_timer callback (wakeup_timer_fn) is executing when mwifiex_adapter_cleanup() is called, the callback will continue to access adapter fields (adapter->hw_status, adapter->if_ops.card_reset, etc.) which may be freed by mwifiex_free_adapter() called later in the mwifiex_remove_card() path. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning.
Title wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:57:50.213Z

Reserved: 2026-05-13T15:03:33.095Z

Link: CVE-2026-46069

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:28.170

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:15:21Z

Weaknesses