CVE-2026-23336
Use-After-Free in Linux cfg80211 Causes Kernel Crash
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 2.6.31 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.7 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.17 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.77 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 2.6.31.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-after-free error in the Linux kernel's wifi subsystem, specifically in the cfg80211 component. It occurs because the rfkill_block work is not cancelled when the wireless physical device (wiphy) is being unregistered. This leads to a situation where the system tries to access memory that has already been freed, causing a bug detected by the Kernel Address Sanitizer (KASAN).
How can this vulnerability impact me? :
The use-after-free vulnerability can cause system instability or crashes due to invalid memory access. This can lead to denial of service conditions on affected systems running the vulnerable Linux kernel, potentially disrupting wireless network functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a use-after-free error in the Linux kernel's cfg80211_shutdown_all_interfaces function related to rfkill_block work not being cancelled during wiphy unregistration.
Detection would typically involve monitoring kernel logs for BUG or KASAN (Kernel Address Sanitizer) reports indicating use-after-free errors in cfg80211_shutdown_all_interfaces or related workqueue functions.
You can check your kernel logs using commands such as:
- dmesg | grep -i 'use-after-free'
- journalctl -k | grep -i 'cfg80211_shutdown_all_interfaces'
- journalctl -k | grep -i 'rfkill_block_work'
Additionally, enabling KASAN (Kernel Address Sanitizer) during kernel compilation and running stress tests with tools like Syzkaller can help detect this issue.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by cancelling the rfkill_block work in the wiphy_unregister() function to prevent the use-after-free error.
Immediate mitigation steps include:
- Update your Linux kernel to a version that includes the fix for this issue.
- If updating is not immediately possible, avoid unregistering wiphy devices or disable wireless interfaces that might trigger this code path.
- Monitor kernel logs for related errors to detect if the vulnerability is being triggered.