{"id":"CVE-2026-23281","summary":"wifi: libertas: fix use-after-free in lbs_free_adapter()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix use-after-free in lbs_free_adapter()\n\nThe lbs_free_adapter() function uses timer_delete() (non-synchronous)\nfor both command_timer and tx_lockup_timer before the structure is\nfreed. This is incorrect because timer_delete() does not wait for\nany running timer callback to complete.\n\nIf a timer callback is executing when lbs_free_adapter() is called,\nthe callback will access freed memory since lbs_cfg_free() frees the\ncontaining structure immediately after lbs_free_adapter() returns.\n\nBoth timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)\naccess priv-\u003edriver_lock, priv-\u003ecur_cmd, priv-\u003edev, and other fields,\nwhich would all be use-after-free violations.\n\nUse timer_delete_sync() instead to ensure any running timer callback\nhas completed before returning.\n\nThis bug was introduced in commit 8f641d93c38a (\"libertas: detect TX\nlockups and reset hardware\") where del_timer() was used instead of\ndel_timer_sync() in the cleanup path. The command_timer has had the\nsame issue since the driver was first written.","modified":"2026-04-02T13:12:20.336380Z","published":"2026-03-25T10:26:41.844Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23281.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23281.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23281"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"954ee164f4f4598afc172c0ec3865d0352e55a0b"},{"fixed":"3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc"},{"fixed":"3c5c818c78b03a1725f3dcd566865c77b48dd3a6"},{"fixed":"d0155fe68f31b339961cf2d4f92937d57e9384e6"},{"fixed":"ed7d30f90b77f73a47498686ede83f622b7e4f0d"},{"fixed":"a9f55b14486426d907459bced5825a25063bd922"},{"fixed":"03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23281.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.24"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23281.json"}}],"schema_version":"1.7.5"}