Skip to main content

Linux EUVDEUVD-2026-18688

| CVE-2026-23444 HIGH
Memory Leak (CWE-401)
2026-04-03 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Apr 27, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Apr 27, 2026 - 14:22 NVD
5.5 (MEDIUM) 7.8 (HIGH)
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
50f1b690b4868923fbd242298def2fb88662f108,06e769dddcbeb3baf2ce346273b53dd61fdbecf4
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18688
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do.

Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free.

Document the skb ownership guarantee in the function's kdoc.

AnalysisAI

Memory leak in Linux kernel mac80211 subsystem's ieee80211_tx_prepare_skb() function fails to free socket buffers (skb) in one of three error paths, allowing local denial of service through memory exhaustion. The vulnerability affects all Linux kernel versions with the vulnerable code path in wireless MAC 802.11 handling; no active exploitation has been reported, but the fix addresses a resource leak that could be triggered by applications exercising error conditions in Wi-Fi frame preparation.

Technical ContextAI

The ieee80211_tx_prepare_skb() function in the Linux kernel's mac80211 (802.11 MAC layer) subsystem prepares wireless frames for transmission. The function has three distinct error handling paths: one where ieee80211_tx_prepare() returns TX_DROP status, one where invoke_tx_handlers() fails, and one where fragmentation validation fails. Socket buffer (skb) objects in Linux networking represent packet data and must be explicitly freed to prevent memory leaks. The vulnerability stems from inconsistent error handling where only two of the three error paths call kfree_skb(), leaving the first path to leak the allocated skb object. This impacts the entire Linux kernel's Wi-Fi stack, including drivers like Qualcomm Atheros (ath9k), MediaTek (mt76), and the mac80211_hwsim simulation driver, all of which previously worked around this inconsistency by redundantly freeing skbs at their call sites.

RemediationAI

Apply the Linux kernel patches from the referenced commits to ieee80211_tx_prepare_skb() in net/mac80211/tx.c. The primary fix adds kfree_skb() to the first error path (when ieee80211_tx_prepare() returns TX_DROP) and removes redundant kfree_skb() calls from caller functions in ath9k, mt76, and mac80211_hwsim to eliminate double-free risk. Affected distributors should backport commit 06e769dddcbeb3baf2ce346273b53dd61fdbecf4 (or equivalent patches 50f1b690b4868923fbd242298def2fb88662f108 and d5ad6ab61cbd89afdb60881f6274f74328af3ee9) to their supported stable kernel branches. Users running affected kernel versions should update to a patched kernel version; interim mitigation is not practical for this code path. References: https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy