Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: rsi: fix kthread lifetime race between self-exit and external-stop

RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
first, and in this case, no particular issues occur.

However, in rare instances where kthread_complete_and_exit() is called
first and then kthread_stop() is called, a UAF occurs because the kthread
object, which has already exited and been freed, is accessed again.

Therefore, to prevent this with minimal modification, you must remove
kthread_stop() and change the code to wait until the self-exit operation
is completed.
Published: 2026-05-28
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a race condition (CWE-366) between kthread_complete_and_exit and kthread_stop in the RSI wifi driver. If the thread exits first with kthread_complete_and_exit and then kthread_stop is called, the kernel may free the kthread structure while the stop call still accesses it, leading to a use‑after‑free that could corrupt kernel memory or cause a crash.

Affected Systems

The vulnerability resides in the Linux kernel’s RSI wifi driver and affects Linux kernel releases, including version 7.1 RC1 and RC2 as well as all other kernel versions listed in the CPE data. Any kernel build that contains this driver prior to the commit that removes kthread_stop usage may be susceptible.

Risk and Exploitability

The EPSS score of < 1% suggests a very low exploitation frequency. The CVSS score of 4.7 indicates a low‑to‑moderate severity. The vulnerability implies kernel memory corruption, which, if successfully triggered, could allow an attacker with local or privileged access to gain kernel privileges or cause a denial of service. Based on the description, it is inferred that the attack would require a local attacker who can influence the driver’s lifecycle, such as by loading or unloading the module. The flaw is not listed in CISA’s KEV catalog, indicating that it has not been observed in the wild as of now.

Generated by OpenCVE AI on June 11, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the commit removing the kthread_stop usage
  • If an immediate kernel update is not possible, unload or disable the RSI wifi driver to avoid the race condition
  • Apply the patch locally by copying the commit that removes kthread_stop and recompiling the module

Generated by OpenCVE AI on June 11, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 29 May 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: fix kthread lifetime race between self-exit and external-stop RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur. However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again. Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed.
Title wifi: rsi: fix kthread lifetime race between self-exit and external-stop
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:01:14.431Z

Reserved: 2026-05-13T15:03:33.104Z

Link: CVE-2026-46187

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:34.333

Modified: 2026-06-11T03:06:52.100

Link: CVE-2026-46187

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46187 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T05:30:06Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

  • CWE-366

    Race Condition within a Thread