VDB

DEBIAN-CVE-2026-23281

DEBIAN-CVE-2026-23281 PUBLISHED CVSS 9.300000190734863 CRITICAL

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.

Risk Scores

CVSS 4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
Debian:12linux6.12.16-1, *, 6.13.4-1~exp1
Debian:14linux6.12.41-1, 6.12.43-1~bpo12+1, 6.12.48-1
Debian:11linux6.0.12-1, 6.7.4-1, 6.7.7-1
Debian:13linux6.12.74-2, 6.12.41-1, 6.12.43-1
Debian:11linux-6.16.1.106-3, 6.1.106-3, 6.1.106-3

Exploit Intelligence

Timeline

  • Mar 25, 2026 CVE Published
  • May 2, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›