CVE-2026-46187
Race Condition in Linux Kernel RSI Driver
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's RSI wifi driver related to the management of kernel threads (kthreads). The driver uses two methods to stop a kthread: self-exit (kthread_complete_and_exit) and external-stop (kthread_stop). Normally, kthread_stop() is called first, which causes no issues. However, in rare cases where the self-exit method is called first and then kthread_stop() is called, a use-after-free (UAF) occurs. This happens because the kthread object has already exited and been freed, but kthread_stop() tries to access it again, leading to a race condition and potential memory corruption.
How can this vulnerability impact me? :
The use-after-free vulnerability can lead to undefined behavior such as memory corruption, system instability, or crashes in the Linux kernel's wifi driver. This could potentially be exploited by an attacker to cause denial of service or escalate privileges by manipulating kernel memory, impacting the reliability and security of systems using the affected driver.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the code should be modified to remove the use of kthread_stop() and instead wait until the self-exit operation (kthread_complete_and_exit) is completed. This prevents the use-after-free condition caused by accessing a kthread object that has already exited and been freed.