CVE-2026-23336
- Source
- https://cve.org/CVERecord?id=CVE-2026-23336
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23336.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23336
- Downstream
- Published
- 2026-03-25T10:27:26.061Z
- Modified
- 2026-04-14T03:47:25.736288Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: cancel rfkillblock work in wiphyunregister()
There is a use-after-free error in cfg80211shutdownall_interfaces found by syzkaller:
BUG: KASAN: use-after-free in cfg80211shutdownallinterfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events cfg80211rfkillblockwork Call Trace: <TASK> dumpstacklvl+0x116/0x1f0 printreport+0xcd/0x630 kasanreport+0xe0/0x110 cfg80211shutdownallinterfaces+0x213/0x220 cfg80211rfkillblockwork+0x1e/0x30 processonework+0x9cf/0x1b70 workerthread+0x6c8/0xf10 kthread+0x3c5/0x780 retfromfork+0x56d/0x700 retfromforkasm+0x1a/0x30 </TASK>
The problem arises due to the rfkillblock work is not cancelled when wiphy is being unregistered. In order to fix the issue cancel the corresponding work in wiphyunregister().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23336.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/57e39fe8da573435fa35975f414f4dc17d9f8449
- https://git.kernel.org/stable/c/584279ad9ff1e8e7c5494b9fce286201f7d1f9e2
- https://git.kernel.org/stable/c/767d23ade706d5fa51c36168e92a9c5533c351a1
- https://git.kernel.org/stable/c/cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5
- https://git.kernel.org/stable/c/eeea8da43ab86ac0a6b9cec225eec91564346940
- https://git.kernel.org/stable/c/fa18639deab4a3662d543200c5bfc29bf4e23173
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23336.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23336
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3Fixedeeea8da43ab86ac0a6b9cec225eec91564346940Fixedfa18639deab4a3662d543200c5bfc29bf4e23173Fixed57e39fe8da573435fa35975f414f4dc17d9f8449Fixed584279ad9ff1e8e7c5494b9fce286201f7d1f9e2Fixedcd2f52944c7b95dcdfe0d87f385a2d96458a3ae5Fixed767d23ade706d5fa51c36168e92a9c5533c351a1