CVE-2026-23444
- Source
- https://cve.org/CVERecord?id=CVE-2026-23444
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23444.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23444
- Downstream
- Published
- 2026-04-03T15:15:28.464Z
- Modified
- 2026-05-15T11:54:15.848778530Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: always free skb on ieee80211txprepare_skb() failure
ieee80211txprepareskb() has three error paths, but only two of them free the skb. The first error path (ieee80211txprepare() returning TXDROP) does not free it, while invoketxhandlers() failure and the fragmentation check both do.
Add kfreeskb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211hwsim) to avoid double-free.
Document the skb ownership guarantee in the function's kdoc.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23444.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4
- https://git.kernel.org/stable/c/3b4d27acafaeab478fd24f79ad6e593a892828b9
- https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108
- https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9
- https://git.kernel.org/stable/c/f77b51bcee7be2bb686b5f7a2d4a1921e4bdb9f4
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23444.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23444
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git