Rameshkumar Sundaram

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free vulnerability has been resolved in the Linux kernel, specifically in the ath12k module. The issue occurs during the removal of the ath12k module, where the `ath12k mac destroy()` function un-registers the `ah->hw` from mac80211 and frees the `ah->hw` as well as all the `ar`'s in it. Later, the `ath12k dp cc cleanup()` function tries to access one of the freed `ar`'s from a pending `skb`, leading to a use-after-free error. This is because the driver failed to flush a few data packets during the destruction of the mac, which were accessed later and freed. The vulnerability was introduced by a commit that added a change to decrement the pending packets count in case of recovery, but this change does not make sense during core deinit. **Recommendations** To fix this issue, avoid accessing `ar` from `skb->cb` when the driver is being unregistered. At the moment, there is no information about a newer version that contains a fix for this vulnerability.