DEBIAN-CVE-2026-23281
In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | linux | 6.12.16-1, *, 6.13.4-1~exp1 |
| Debian:14 | linux | 6.12.41-1, 6.12.43-1~bpo12+1, 6.12.48-1 |
| Debian:11 | linux | 6.0.12-1, 6.7.4-1, 6.7.7-1 |
| Debian:13 | linux | 6.12.74-2, 6.12.41-1, 6.12.43-1 |
| Debian:11 | linux-6.1 | 6.1.106-3, 6.1.106-3, 6.1.106-3 |
Exploit Intelligence
- 4593.2.0.yml (github-poc)
- 4628.1.0.yml (github-poc)
- 2026-05-06_426_linux-signed-amd64.yaml (github-poc)
Timeline
- Mar 25, 2026 CVE Published
- May 2, 2026 CVE Updated