CVE-2026-23281

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel’s wifi subsystem, specifically within the libertas driver. The lbs free adapter() function incorrectly uses timer delete() instead of timer delete sync() for command and transaction lockup timers before freeing the associated structure. This can lead to a use-after-free condition if a timer callback is executing when lbs free adapter() is called, as the callback may attempt to access memory that has already been freed. The vulnerable function is lbs free adapter(). The issue stems from a change introduced in commit 8f641d93c38a, where del timer() was used instead of del timer sync() during cleanup.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2026-23281

ECHO-0073-B535-18A3

OPENSUSE-SU-2026:20572-1

SUSE-SU-2026:1573-1

SUSE-SU-2026:1661-1

SUSE-SU-2026:21114-1

SUSE-SU-2026:21123-1

SUSE-SU-2026:21237-1

SUSE-SU-2026:21255-1

SUSE-SU-2026:21352-1

SUSE-SU-2026:21361-1

Affected Products

Linux Kernel

Libertas

CVE-2026-23281

Weakness Enumeration

Related Identifiers

Affected Products

References · 217