Skip to main content

Linux Kernel EUVDEUVD-2026-15203

| CVE-2026-23281 HIGH
Use After Free (CWE-416)
2026-03-25 Linux
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
3.1 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
May 22, 2026 - 00:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 22, 2026 - 00:37 vuln.today
cvss_changed
CVSS changed
May 22, 2026 - 00:37 NVD
7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15203
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:26 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: libertas: fix use-after-free in lbs_free_adapter()

The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete.

If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns.

Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations.

Use timer_delete_sync() instead to ensure any running timer callback has completed before returning.

This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.

AnalysisAI

Use-after-free in the Linux kernel's libertas wireless driver (lbs_free_adapter()) allows local privileged users to corrupt memory when a timer callback races with adapter teardown. The flaw stems from using non-synchronous timer_delete() instead of timer_delete_sync() on command_timer and tx_lockup_timer, leaving callbacks free to dereference freed driver_lock, cur_cmd, and dev fields. EPSS is very low (0.02%, 7th percentile) and there is no public exploit identified at time of analysis, but the bug has existed since the driver's introduction and on stable trees through 6.18.x.

Technical ContextAI

The affected code lives in drivers/net/wireless/marvell/libertas, the legacy Marvell 88W8xxx (Libertas) Wi-Fi driver in the Linux kernel. The root cause is a CWE-416 use-after-free triggered by a race between two kernel timers (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) and the driver's adapter free path. timer_delete() (formerly del_timer()) only cancels a not-yet-fired timer; it does not block on a callback already running on another CPU. Because lbs_cfg_free() releases the priv structure immediately after lbs_free_adapter() returns, an in-flight callback then dereferences freed memory (priv->driver_lock, priv->cur_cmd, priv->dev). The fix substitutes timer_delete_sync(), which waits for any running instance of the callback to finish before returning. The command_timer issue has existed since the driver was first written; the tx_lockup_timer regression was introduced by commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware").

RemediationAI

Vendor-released patch: upgrade to Linux 7.0-rc2 (mainline) or the corresponding stable updates 6.19.7, 6.18.17, 6.12.78, 6.6.130, or 6.1.167, which replace timer_delete() with timer_delete_sync() in lbs_free_adapter(); see the stable commits at https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dc, https://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922, https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6, https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6, https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0, and https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d, and pick up the distro-built kernels tracked under Debian and other downstreams. For systems that cannot reboot immediately, blacklist the libertas and libertas_sdio/libertas_usb modules via /etc/modprobe.d (e.g., "blacklist libertas") and unload them with rmmod where the underlying Marvell Libertas Wi-Fi hardware is not in use - this eliminates the attack surface entirely at the cost of disabling those specific Wi-Fi adapters. Restricting module autoload (modules_disabled=1 once boot is complete) further reduces exposure on systems that should never legitimately load this driver, though it also blocks loading any other modules post-boot.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15203 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy