CVE-2026-23281

In the Linux kernel, the following vulnerability has been resolved:

wifi: libertas: fix use-after-free in lbs free adapter()

The lbs free adapter() function uses timer delete() (non-synchronous) for both command timer and tx lockup timer before the structure is freed. This is incorrect because timer delete() does not wait for any running timer callback to complete.

If a timer callback is executing when lbs free adapter() is called, the callback will access freed memory since lbs cfg free() frees the containing structure immediately after lbs free adapter() returns.

Both timer callbacks (lbs cmd timeout handler and lbs tx lockup handler) access priv->driver lock, priv->cur cmd, priv->dev, and other fields, which would all be use-after-free violations.

Use timer delete sync() instead to ensure any running timer callback has completed before returning.

This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del timer() was used instead of del timer sync() in the cleanup path. The command timer has had the same issue since the driver was first written.