Skip to main content

Linux EUVDEUVD-2026-15299

| CVE-2026-23336 HIGH
Use After Free (CWE-416)
2026-03-25 Linux GHSA-rgr3-h3cv-574x
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 18, 2026 - 09:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15299
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()

There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller:

BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events cfg80211_rfkill_block_work Call Trace: <TASK> dump_stack_lvl+0x116/0x1f0 print_report+0xcd/0x630 kasan_report+0xe0/0x110 cfg80211_shutdown_all_interfaces+0x213/0x220 cfg80211_rfkill_block_work+0x1e/0x30 process_one_work+0x9cf/0x1b70 worker_thread+0x6c8/0xf10 kthread+0x3c5/0x780 ret_from_fork+0x56d/0x700 ret_from_fork_asm+0x1a/0x30 </TASK>

The problem arises due to the rfkill_block work is not cancelled when wiphy is being unregistered. In order to fix the issue cancel the corresponding work in wiphy_unregister().

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

AnalysisAI

Use-after-free in Linux kernel cfg80211 WiFi subsystem allows local authenticated users with low privileges to achieve high impact on confidentiality, integrity, and availability through rfkill work-queue exploitation. The vulnerability affects Linux kernel versions 2.6.31 through 6.19-rc2, with patches released for stable branches 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, and 7.0-rc2. EPSS score of 0.02% (7th percentile) indicates very low probability of mass exploitation. No CISA KEV listing or public exploit identified at time of analysis, though the issue was discovered via syzkaller fuzzing, demonstrating automated exploit development potential.

Technical ContextAI

The cfg80211 subsystem manages Linux kernel wireless device configuration and regulatory enforcement, including rfkill (radio frequency kill switch) functionality. This vulnerability stems from improper work queue lifecycle management: when wiphy_unregister() is called to decommission a wireless device, the cfg80211_rfkill_block_work worker is not cancelled, creating a race condition. The delayed work function cfg80211_rfkill_block_work() subsequently attempts to access freed wiphy memory structures via cfg80211_shutdown_all_interfaces(), triggering a KASAN-detected use-after-free read at offset 0xd98. The vulnerability was introduced in commit 1f87f7d3a3b4 (adding rfkill work handling) and exists across kernel versions from 2.6.31 (initial cfg80211 rfkill integration) through 6.19-rc2. The CPE identifier cpe:2.3:a:linux:linux covers all affected kernel builds. The root cause reflects missing synchronization between device teardown (wiphy_unregister) and asynchronous work queue operations-a common pattern in kernel subsystem cleanup paths.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.167, 6.6.130, 6.12.77, 6.18.17, 6.19.7, or 7.0-rc2 and later, depending on your stable branch. Mainline fix commit is 82a35356b5c1f75fe6a8a561db44e8d0e49da8f9, with stable branch backports at commits 584279ad9ff1 (mainline), 767d23ade706 (6.19), cd2f52944c7b (6.18), 57e39fe8da57 (6.12), eeea8da43ab8 (6.6), fa18639deab4 (6.1), and b2e9626a9d16 (older stable). Distribution-specific updates available through standard package managers (apt, yum, dnf, zypper). Vendor advisories at https://git.kernel.org/stable/ provide commit-level details. If immediate patching is infeasible, restrict local user access on multi-tenant systems and audit sudo/capability grants that permit wireless device manipulation (CAP_NET_ADMIN). Disable WiFi drivers via modprobe blacklist as temporary mitigation (add 'blacklist cfg80211' to /etc/modprobe.d/blacklist.conf), though this breaks all wireless functionality and may disrupt production services. Kernel live-patching solutions (kpatch, kGraft, Ksplice) can apply fixes without reboot for enterprise environments requiring continuous uptime, but verify vendor support for this specific CVE. No workaround exists that preserves full WiFi functionality without patching.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-15299 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy