DevSecOps Toolkit
Login

CVE record

CVE-2026-23281

HIGHCVSS 7.8

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.

Sponsored

Amazon picks for vulnerability response

Product discovery links are localized to Amazon US when country data is available.

This page may contain affiliate links. We may earn a commission at no extra cost to you. As an Amazon Associate I earn from qualifying purchases.

Identity security

Hardware security keys

Physical MFA keys for admin accounts, cloud consoles, password managers, and incident response workflows.

View on Amazon US
Sponsored Amazon link
Books

Security engineering books

Books on secure design, incident response, threat modeling, cloud security, and practical defense.

View on Amazon US
Sponsored Amazon link
Network lab

Ethernet cable testers

Portable testers for validating office, rack, home lab, and troubleshooting cable runs.

View on Amazon US
Sponsored Amazon link

Vulnerability metadata

Published
2026-03-25T05:46:22.657Z
Modified
2026-05-21T19:01:53.367Z
EPSS
Not available
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Recommended platforms

Affiliate-supported recommendations for CVE-2026-23281 vulnerability response.

This page may contain affiliate links. We may earn a commission at no extra cost to you. As an Amazon Associate I earn from qualifying purchases.

marketplace

Security engineering books

Browse practical security, incident response, cloud security, and secure coding books for team learning.

Browse on Amazon
Amazon US
security

Cloud security platform

Continuously review cloud posture, exposed services, identity risks, and misconfigurations.

Explore security tools
monitoring

Monitoring and incident response

Track uptime, logs, traces, TLS expiry, API latency, and production security signals.

Compare monitoring

References

https://git.kernel.org/stable/c/03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0https://git.kernel.org/stable/c/09f3c30ab3b1371eaf9676a1b8add57bca763083https://git.kernel.org/stable/c/3c5c818c78b03a1725f3dcd566865c77b48dd3a6https://git.kernel.org/stable/c/3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dchttps://git.kernel.org/stable/c/a9f55b14486426d907459bced5825a25063bd922https://git.kernel.org/stable/c/b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4https://git.kernel.org/stable/c/d0155fe68f31b339961cf2d4f92937d57e9384e6https://git.kernel.org/stable/c/ed7d30f90b77f73a47498686ede83f622b7e4f0d
Open this CVE in the lookup tool