CVE-2026-53112
Received Received - Intake
Use-After-Free in Linux Kernel RTLWIFI PCI Driver

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware. But it is never killed in rtl_pci_deinit(). When the rtlwifi card probe fails or is being detached, the ieee80211_hw is deallocated. However, irq_prepare_bcn_tasklet may still be running or pending, leading to use-after-free when the freed ieee80211_hw is accessed in _rtl_pci_prepare_bcn_tasklet(). Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to ensure that irq_prepare_bcn_tasklet is properly terminated before the ieee80211_hw is released. The issue was identified through static analysis.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53112
EUVD
EUVD-2026-38980
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
realtek rtlwifi *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Realtek rtlwifi PCI driver. It involves a use-after-free condition caused by an unfinished irq_prepare_bcn_tasklet. Specifically, the irq_prepare_bcn_tasklet is initialized and scheduled when a hardware interrupt occurs, but it is not properly terminated when the rtlwifi card is detached or its probe fails. As a result, the tasklet may still run or be pending after the ieee80211_hw structure it accesses has been freed, leading to a use-after-free scenario.

The fix involves adding a tasklet_kill() call in the rtl_pci_deinit() function to ensure the irq_prepare_bcn_tasklet is properly stopped before the ieee80211_hw is released.

Impact Analysis

This use-after-free vulnerability can lead to undefined behavior in the Linux kernel, such as system crashes, memory corruption, or potential escalation of privileges if exploited. Since the tasklet may access freed memory, it could cause instability or allow an attacker to execute arbitrary code within the kernel context, depending on the exploitation scenario.

Mitigation Strategies

The vulnerability is fixed by ensuring that the irq_prepare_bcn_tasklet is properly terminated before the ieee80211_hw is released. This is done by adding tasklet_kill() in rtl_pci_deinit().

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Detection Guidance

This vulnerability was identified through static analysis and involves a use-after-free condition in the rtlwifi driver related to the irq_prepare_bcn_tasklet not being properly killed during device deinitialization.

There are no specific detection commands or network/system detection methods provided in the available information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53112. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart