-
CVE-2026-23281
- EPSS 0.04%
- Veröffentlicht 25.03.2026 10:26:41
- Zuletzt bearbeitet 18.04.2026 09:16:16
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
wifi: libertas: fix use-after-free in lbs_free_adapter()
In the Linux kernel, the following vulnerability has been resolved:
wifi: libertas: fix use-after-free in lbs_free_adapter()
The lbs_free_adapter() function uses timer_delete() (non-synchronous)
for both command_timer and tx_lockup_timer before the structure is
freed. This is incorrect because timer_delete() does not wait for
any running timer callback to complete.
If a timer callback is executing when lbs_free_adapter() is called,
the callback will access freed memory since lbs_cfg_free() frees the
containing structure immediately after lbs_free_adapter() returns.
Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)
access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,
which would all be use-after-free violations.
Use timer_delete_sync() instead to ensure any running timer callback
has completed before returning.
This bug was introduced in commit 8f641d93c38a ("libertas: detect TX
lockups and reset hardware") where del_timer() was used instead of
del_timer_sync() in the cleanup path. The command_timer has had the
same issue since the driver was first written.Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
954ee164f4f4598afc172c0ec3865d0352e55a0b
Version <
b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4
Status
affected
Version
954ee164f4f4598afc172c0ec3865d0352e55a0b
Version <
09f3c30ab3b1371eaf9676a1b8add57bca763083
Status
affected
Version
954ee164f4f4598afc172c0ec3865d0352e55a0b
Version <
3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc
Status
affected
Version
954ee164f4f4598afc172c0ec3865d0352e55a0b
Version <
3c5c818c78b03a1725f3dcd566865c77b48dd3a6
Status
affected
Version
954ee164f4f4598afc172c0ec3865d0352e55a0b
Version <
d0155fe68f31b339961cf2d4f92937d57e9384e6
Status
affected
Version
954ee164f4f4598afc172c0ec3865d0352e55a0b
Version <
ed7d30f90b77f73a47498686ede83f622b7e4f0d
Status
affected
Version
954ee164f4f4598afc172c0ec3865d0352e55a0b
Version <
a9f55b14486426d907459bced5825a25063bd922
Status
affected
Version
954ee164f4f4598afc172c0ec3865d0352e55a0b
Version <
03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
2.6.24
Status
affected
Version
0
Version <
2.6.24
Status
unaffected
Version <=
5.10.*
Version
5.10.253
Status
unaffected
Version <=
5.15.*
Version
5.15.203
Status
unaffected
Version <=
6.1.*
Version
6.1.167
Status
unaffected
Version <=
6.6.*
Version
6.6.130
Status
unaffected
Version <=
6.12.*
Version
6.12.78
Status
unaffected
Version <=
6.18.*
Version
6.18.17
Status
unaffected
Version <=
6.19.*
Version
6.19.7
Status
unaffected
Version <=
*
Version
7.0
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.102 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|