{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23135", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.971Z", "datePublished": "2026-02-14T15:14:34.473Z", "dateUpdated": "2026-05-11T22:00:48.767Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:00:48.767Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath12k/ce.c"], "versions": [{"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "36e0bc5e8b282564906fca636c4ebc99814de4e7", "status": "affected", "versionType": "git"}, {"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "24585a13c41ea7253ee59aac74441fb570f5824a", "status": "affected", "versionType": "git"}, {"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "4846b32be324f4dd3653f38a3f69c049543d52ae", "status": "affected", "versionType": "git"}, {"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2", "lessThan": "bb97131fbf9b708dd9616ac2bdc793ad102b5c48", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath12k/ce.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/36e0bc5e8b282564906fca636c4ebc99814de4e7"}, {"url": "https://git.kernel.org/stable/c/24585a13c41ea7253ee59aac74441fb570f5824a"}, {"url": "https://git.kernel.org/stable/c/4846b32be324f4dd3653f38a3f69c049543d52ae"}, {"url": "https://git.kernel.org/stable/c/bb97131fbf9b708dd9616ac2bdc793ad102b5c48"}], "title": "wifi: ath12k: fix dma_free_coherent() pointer", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA5AD755-3F64-45B9-8709-1D24A061B353", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix dma_free_coherent() pointer\n\ndma_alloc_coherent() allocates a DMA mapped buffer and stores the\naddresses in XXX_unaligned fields. Those should be reused when freeing\nthe buffer rather than the aligned addresses."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: ath12k: correcci\u00f3n del puntero dma_free_coherent()\n\ndma_alloc_coherent() asigna un b\u00fafer mapeado por DMA y almacena las direcciones en campos XXX_unaligned. Esas deber\u00edan ser reutilizadas al liberar el b\u00fafer en lugar de las direcciones alineadas."}], "id": "CVE-2026-23135", "lastModified": "2026-03-17T21:16:17.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-14T16:15:53.483", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/24585a13c41ea7253ee59aac74441fb570f5824a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/36e0bc5e8b282564906fca636c4ebc99814de4e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4846b32be324f4dd3653f38a3f69c049543d52ae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bb97131fbf9b708dd9616ac2bdc793ad102b5c48"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: wifi: ath12k: fix dma_free_coherent() pointer", "id": "2439847", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439847"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23135", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23135\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23135\nhttps://lore.kernel.org/linux-cve-announce/2026021438-CVE-2026-23135-74c1@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d889913205cf7ebda905b1e62c5867ed4e39f6c2,36e0bc5e8b282564906fca636c4ebc99814de4e7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d889913205cf7ebda905b1e62c5867ed4e39f6c2,24585a13c41ea7253ee59aac74441fb570f5824a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d889913205cf7ebda905b1e62c5867ed4e39f6c2,4846b32be324f4dd3653f38a3f69c049543d52ae)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[d889913205cf7ebda905b1e62c5867ed4e39f6c2,bb97131fbf9b708dd9616ac2bdc793ad102b5c48)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.122,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.68,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.8,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-18T18:04:07.666563+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the ath12k dma_free_coherent fix", "If an immediate kernel upgrade is not possible, disable the ath12k Wi\u2011Fi interface or replace the hardware with a driver that is not affected", "Test the updated kernel or isolated environment before deploying to production"], "summary": {"action": "Apply patch", "impact": "Kernel memory corruption via incorrect DMA buffer deallocation"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that ship the vulnerable ath12k driver code and have not applied the patch, particularly the 6.19 release\u2011candidate series up to rc6 and any earlier kernels that include the same code. Any distribution incorporating these kernels, whether as stock releases or as part of a maintenance update, is potentially affected unless upgraded to an image containing the fix.", "description_and_impact": "In the Linux ath12k Wi\u2011Fi driver, dma_alloc_coherent allocates a DMA buffer and stores the returned addresses in unaligned fields. However, the code that frees the buffer mistakenly uses the aligned addresses stored elsewhere instead of the original unaligned pointer. This misuse of dma_free_coherent can corrupt kernel memory when the kernel deallocates memory that is still in use. The vulnerability, reflected in a CVSS score of 5.5, poses a moderate risk of kernel instability or crash.", "risk_and_exploitability": "The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of exploitation. Based on the description, it is inferred that an attacker would need privileged or local access to the host and the ability to trigger the ath12k driver, for example by sending crafted wireless traffic or manually loading the driver. The impact is limited to kernel memory corruption and potential denial of service; no direct evidence of remote code execution is provided."}}}}, "created": "2026-02-16T12:01:32.159818+00:00", "title": "Kernel memory corruption caused by incorrect DMA buffer deallocation in ath12k Wi\u2011Fi driver", "updated": "2026-04-18T18:15:06.577655+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}