CVE-2026-46069

In the Linux kernel, the following vulnerability has been resolved:

wifi: mwifiex: fix use-after-free in mwifiex adapter cleanup()

The mwifiex adapter cleanup() function uses timer delete() (non-synchronous) for the wakeup timer before the adapter structure is freed. This is incorrect because timer delete() does not wait for any running timer callback to complete.

If the wakeup timer callback (wakeup timer fn) is executing when mwifiex adapter cleanup() is called, the callback will continue to access adapter fields (adapter->hw status, adapter->if ops.card reset, etc.) which may be freed by mwifiex free adapter() called later in the mwifiex remove card() path.

Use timer delete sync() instead to ensure any running timer callback has completed before returning.