Skip to main content

Linux Kernel EUVDEUVD-2026-32451

| CVE-2026-46069 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-q36x-5cv4-59hh
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local trigger (AV:L) needing driver-removal privileges (PR:L); exploitation hinges on winning a non-deterministic timer-vs-cleanup race, so AC:H; UAF yields full memory-corruption impact (C/I/A:H).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:08 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()

The mwifiex_adapter_cleanup() function uses timer_delete() (non-synchronous) for the wakeup_timer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete.

If the wakeup_timer callback (wakeup_timer_fn) is executing when mwifiex_adapter_cleanup() is called, the callback will continue to access adapter fields (adapter->hw_status, adapter->if_ops.card_reset, etc.) which may be freed by mwifiex_free_adapter() called later in the mwifiex_remove_card() path.

Use timer_delete_sync() instead to ensure any running timer callback has completed before returning.

AnalysisAI

Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.

Technical ContextAI

The flaw lives in the mwifiex driver, which supports Marvell/NXP 802.11 chipsets common in some laptops, SBCs, and embedded devices. The root cause is CWE-416 (use-after-free) stemming from a timer-teardown race: timer_delete() removes a timer from the queue but returns immediately without waiting for an in-flight callback to finish, whereas timer_delete_sync() blocks until any running callback completes. Because wakeup_timer_fn touches adapter state that mwifiex_free_adapter() subsequently frees during mwifiex_remove_card(), the unsynchronized delete leaves a window where the callback runs against freed memory. The CPE data lists only generic Linux kernel entries (cpe:2.3:o:linux:linux_kernel:*) without bounded version ranges, so exact affected ranges must be read from the commit/version metadata rather than the CPE strings.

RemediationAI

Vendor-released patch: update to a fixed Linux stable release - 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 or later for your kernel branch; the fix replaces timer_delete() with timer_delete_sync() in mwifiex_adapter_cleanup(). Apply your distribution's kernel update once it incorporates the corresponding stable commit (see https://git.kernel.org/stable/c/030abbae49cf9fd1fba7aa08e15ec81efbeb78cf and the sibling commits listed in the references). If immediate patching is not possible, a practical compensating control is to avoid loading the vulnerable driver where it is not needed - blacklist the mwifiex module (e.g., via modprobe blacklist) on systems that do not use Marvell Wi-Fi, which fully removes the attack surface at the cost of disabling that Wi-Fi hardware; on systems that require the driver, restrict the local privileges needed to trigger device removal/unbind and rmmod to trusted administrators to reduce who can race the teardown path.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy