Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet

The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
But it is never killed in rtl_pci_deinit(). When the rtlwifi card
probe fails or is being detached, the ieee80211_hw is deallocated.
However, irq_prepare_bcn_tasklet may still be running or pending,
leading to use-after-free when the freed ieee80211_hw is accessed
in _rtl_pci_prepare_bcn_tasklet().

Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
ensure that irq_prepare_bcn_tasklet is properly terminated before
the ieee80211_hw is released.

The issue was identified through static analysis.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the Linux rtlwifi PCI driver. When a device is removed or a probe fails, a tasklet that prepares beacon frames continues to run or remain pending. Because the tasklet accesses the ieee80211_hw structure after it has been freed, memory corruption can occur, allowing an attacker to execute arbitrary code in kernel context. The issue is a race condition (CWE‑825) involving premature freeing of shared data.

Affected Systems

All Linux kernel builds that include the rtlwifi driver before the tasklet_kill fix are affected. No specific exported version range is available; the issue exists in the driver code prior to the referenced patches and has no publicly listed CVE‑specific version numbers. Systems running kernels that ship the rtlwifi module without the update are vulnerable.

Risk and Exploitability

Based on the description, the likely attack vector is local or via interference with the Wi‑Fi hardware that forces a probe failure or driver unload. The EPSS score of 0.00164 indicates a very low exploitation probability and the vulnerability is not listed in the CISA KEV catalogue. The consequence of successful exploitation would be kernel privilege escalation, so the risk is high. However, as the flaw was discovered through static analysis and no active exploitation reports exist, the probability of exploitation remains uncertain.

Generated by OpenCVE AI on June 26, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the rtlwifi driver patch which adds tasklet_kill to rtl_pci_deinit.
  • If a kernel update is not immediately possible, download and apply the patch that adds tasklet_kill (e.g., commit 008c456b… or any subsequent commit that introduces the cleanup) to the rtlwifi driver source, then rebuild the kernel or the module.
  • Reboot the system (or reload the module) after the patch to ensure the driver is reloaded with the proper cleanup logic.

Generated by OpenCVE AI on June 26, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 26 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware. But it is never killed in rtl_pci_deinit(). When the rtlwifi card probe fails or is being detached, the ieee80211_hw is deallocated. However, irq_prepare_bcn_tasklet may still be running or pending, leading to use-after-free when the freed ieee80211_hw is accessed in _rtl_pci_prepare_bcn_tasklet(). Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to ensure that irq_prepare_bcn_tasklet is properly terminated before the ieee80211_hw is released. The issue was identified through static analysis.
Title wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:45.359Z

Reserved: 2026-06-09T07:44:35.385Z

Link: CVE-2026-53112

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53112 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:30:17Z

Weaknesses
  • CWE-825

    Expired Pointer Dereference