CVE-2026-23336
Received Received - Intake
Use-After-Free in Linux cfg80211 Causes Kernel Crash

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events cfg80211_rfkill_block_work Call Trace: <TASK> dump_stack_lvl+0x116/0x1f0 print_report+0xcd/0x630 kasan_report+0xe0/0x110 cfg80211_shutdown_all_interfaces+0x213/0x220 cfg80211_rfkill_block_work+0x1e/0x30 process_one_work+0x9cf/0x1b70 worker_thread+0x6c8/0xf10 kthread+0x3c5/0x780 ret_from_fork+0x56d/0x700 ret_from_fork_asm+0x1a/0x30 </TASK> The problem arises due to the rfkill_block work is not cancelled when wiphy is being unregistered. In order to fix the issue cancel the corresponding work in wiphy_unregister(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23336
EUVD
EUVD-2026-15299
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.31
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 2.6.31.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free error in the Linux kernel's wifi subsystem, specifically in the cfg80211 component. It occurs because the rfkill_block work is not cancelled when the wireless physical device (wiphy) is being unregistered. This leads to a situation where the system tries to access memory that has already been freed, causing a bug detected by the Kernel Address Sanitizer (KASAN).

Impact Analysis

The use-after-free vulnerability can cause system instability or crashes due to invalid memory access. This can lead to denial of service conditions on affected systems running the vulnerable Linux kernel, potentially disrupting wireless network functionality.

Detection Guidance

This vulnerability is a use-after-free error in the Linux kernel's cfg80211_shutdown_all_interfaces function related to rfkill_block work not being cancelled during wiphy unregistration.

Detection would typically involve monitoring kernel logs for BUG or KASAN (Kernel Address Sanitizer) reports indicating use-after-free errors in cfg80211_shutdown_all_interfaces or related workqueue functions.

You can check your kernel logs using commands such as:

  • dmesg | grep -i 'use-after-free'
  • journalctl -k | grep -i 'cfg80211_shutdown_all_interfaces'
  • journalctl -k | grep -i 'rfkill_block_work'

Additionally, enabling KASAN (Kernel Address Sanitizer) during kernel compilation and running stress tests with tools like Syzkaller can help detect this issue.

Mitigation Strategies

The vulnerability is fixed by cancelling the rfkill_block work in the wiphy_unregister() function to prevent the use-after-free error.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this issue.
  • If updating is not immediately possible, avoid unregistering wiphy devices or disable wireless interfaces that might trigger this code path.
  • Monitor kernel logs for related errors to detect if the vulnerability is being triggered.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart