{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23336", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.997Z", "datePublished": "2026-03-25T10:27:26.061Z", "dateUpdated": "2026-05-11T22:04:52.288Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:52.288Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel rfkill_block work in wiphy_unregister()\n\nThere is a use-after-free error in cfg80211_shutdown_all_interfaces found\nby syzkaller:\n\nBUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220\nRead of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326\nCPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: events cfg80211_rfkill_block_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0x116/0x1f0\n print_report+0xcd/0x630\n kasan_report+0xe0/0x110\n cfg80211_shutdown_all_interfaces+0x213/0x220\n cfg80211_rfkill_block_work+0x1e/0x30\n process_one_work+0x9cf/0x1b70\n worker_thread+0x6c8/0xf10\n kthread+0x3c5/0x780\n ret_from_fork+0x56d/0x700\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nThe problem arises due to the rfkill_block work is not cancelled when wiphy\nis being unregistered. In order to fix the issue cancel the corresponding\nwork in wiphy_unregister().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/wireless/core.c"], "versions": [{"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3", "lessThan": "82a35356b5c1f75fe6a8a561db44e8d0e49da8f9", "status": "affected", "versionType": "git"}, {"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3", "lessThan": "b2e9626a9d16b9bbbd06498c9e73c93be354dc7a", "status": "affected", "versionType": "git"}, {"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3", "lessThan": "eeea8da43ab86ac0a6b9cec225eec91564346940", "status": "affected", "versionType": "git"}, {"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3", "lessThan": "fa18639deab4a3662d543200c5bfc29bf4e23173", "status": "affected", "versionType": "git"}, {"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3", "lessThan": "57e39fe8da573435fa35975f414f4dc17d9f8449", "status": "affected", "versionType": "git"}, {"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3", "lessThan": "584279ad9ff1e8e7c5494b9fce286201f7d1f9e2", "status": "affected", "versionType": "git"}, {"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3", "lessThan": "cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5", "status": "affected", "versionType": "git"}, {"version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3", "lessThan": "767d23ade706d5fa51c36168e92a9c5533c351a1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/wireless/core.c"], "versions": [{"version": "2.6.31", "status": "affected"}, {"version": "0", "lessThan": "2.6.31", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/82a35356b5c1f75fe6a8a561db44e8d0e49da8f9"}, {"url": "https://git.kernel.org/stable/c/b2e9626a9d16b9bbbd06498c9e73c93be354dc7a"}, {"url": "https://git.kernel.org/stable/c/eeea8da43ab86ac0a6b9cec225eec91564346940"}, {"url": "https://git.kernel.org/stable/c/fa18639deab4a3662d543200c5bfc29bf4e23173"}, {"url": "https://git.kernel.org/stable/c/57e39fe8da573435fa35975f414f4dc17d9f8449"}, {"url": "https://git.kernel.org/stable/c/584279ad9ff1e8e7c5494b9fce286201f7d1f9e2"}, {"url": "https://git.kernel.org/stable/c/cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5"}, {"url": "https://git.kernel.org/stable/c/767d23ade706d5fa51c36168e92a9c5533c351a1"}], "title": "wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "57E89197-6305-4D47-AE24-4D5D20CC8429", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.31.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31:-:*:*:*:*:*:*", "matchCriteriaId": "2887290A-1B43-4DB9-A9D0-B0B56CD78E48", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel rfkill_block work in wiphy_unregister()\n\nThere is a use-after-free error in cfg80211_shutdown_all_interfaces found\nby syzkaller:\n\nBUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220\nRead of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326\nCPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: events cfg80211_rfkill_block_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0x116/0x1f0\n print_report+0xcd/0x630\n kasan_report+0xe0/0x110\n cfg80211_shutdown_all_interfaces+0x213/0x220\n cfg80211_rfkill_block_work+0x1e/0x30\n process_one_work+0x9cf/0x1b70\n worker_thread+0x6c8/0xf10\n kthread+0x3c5/0x780\n ret_from_fork+0x56d/0x700\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nThe problem arises due to the rfkill_block work is not cancelled when wiphy\nis being unregistered. In order to fix the issue cancel the corresponding\nwork in wiphy_unregister().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nwifi: cfg80211: cancelar el trabajo rfkill_block en wiphy_unregister()\n\nExiste un error de uso despu\u00e9s de liberaci\u00f3n en cfg80211_shutdown_all_interfaces encontrado por syzkaller:\n\nBUG: KASAN: uso despu\u00e9s de liberaci\u00f3n en cfg80211_shutdown_all_interfaces+0x213/0x220\nLectura de tama\u00f1o 8 en la direcci\u00f3n ffff888112a78d98 por la tarea kworker/0:5/5326\nCPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 No contaminado 6.19.0-rc2 #2 PREEMPT(voluntario)\nNombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nCola de trabajo: eventos cfg80211_rfkill_block_work\nRastro de llamada:\n \n dump_stack_lvl+0x116/0x1f0\n print_report+0xcd/0x630\n kasan_report+0xe0/0x110\n cfg80211_shutdown_all_interfaces+0x213/0x220\n cfg80211_rfkill_block_work+0x1e/0x30\n process_one_work+0x9cf/0x1b70\n worker_thread+0x6c8/0xf10\n kthread+0x3c5/0x780\n ret_from_fork+0x56d/0x700\n ret_from_fork_asm+0x1a/0x30\n \n\nEl problema surge debido a que el trabajo rfkill_block no se cancela cuando wiphy est\u00e1 siendo desregistrado. Para solucionar el problema, cancele el trabajo correspondiente en wiphy_unregister().\n\nEncontrado por Linux Verification Center (linuxtesting.org) con Syzkaller."}], "id": "CVE-2026-23336", "lastModified": "2026-04-23T21:12:52.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:31.210", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/57e39fe8da573435fa35975f414f4dc17d9f8449"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/584279ad9ff1e8e7c5494b9fce286201f7d1f9e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/767d23ade706d5fa51c36168e92a9c5533c351a1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/82a35356b5c1f75fe6a8a561db44e8d0e49da8f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b2e9626a9d16b9bbbd06498c9e73c93be354dc7a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eeea8da43ab86ac0a6b9cec225eec91564346940"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fa18639deab4a3662d543200c5bfc29bf4e23173"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()", "id": "2451255", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451255"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's cfg80211 component. This use-after-free vulnerability occurs when the rfkill_block work is not properly cancelled during the unregistration of a wireless device. A local attacker could potentially exploit this flaw, leading to a denial of service due to memory corruption."], "name": "CVE-2026-23336", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23336\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23336\nhttps://lore.kernel.org/linux-cve-announce/2026032533-CVE-2026-23336-d365@gregkh/T"], "statement": "This flaw affects systems with wireless networking. The rfkill_block work can execute after wiphy_unregister() completes, accessing freed memory in cfg80211_shutdown_all_interfaces(). The race requires specific timing between wireless device unregistration and rfkill work execution. Found by syzkaller automated testing.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3,eeea8da43ab86ac0a6b9cec225eec91564346940)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3,fa18639deab4a3662d543200c5bfc29bf4e23173)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3,57e39fe8da573435fa35975f414f4dc17d9f8449)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3,584279ad9ff1e8e7c5494b9fce286201f7d1f9e2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3,cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3,767d23ade706d5fa51c36168e92a9c5533c351a1)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.31"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.31)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T22:05:38.543614+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel patch that cancels the rfkill_block work in wiphy_unregister().", "Reboot the system to load the updated kernel.", "Verify that no KASAN use\u2011after\u2011free messages appear in kernel logs.", "If an immediate update is not available, temporarily disable Wi\u2011Fi interfaces or unload the cfg80211 module until the patch is applied.", "Consider enabling kernel lockdown or other hardening measures to reduce the impact scope."], "summary": {"action": "Patch Now", "impact": "Memory corruption leading to potential code execution"}, "threat_synthesis": {"affected_systems": "Affected systems are all Linux kernel distributions that have not applied the patch that cancels the rfkill_block work in wiphy_unregister(). The description references kernel 6.19.0\u2011rc2, indicating that recent kernel releases before the patch are vulnerable. Any device running an unpatched Linux kernel\u2014whether a workstation, server, or embedded system with Wi\u2011Fi capabilities\u2014is potentially impacted. Based on the description, the vulnerability likely applies to all kernels from 6.19.x through the first patched release.", "description_and_impact": "The vulnerability is a use\u2011after\u2011free error in the Linux kernel\u2019s Wi\u2011Fi subsystem (cfg80211). During interface shutdown, the rfkill_block work item is not canceled when the wireless hardware is unregistered, allowing a kernel thread to read memory that has already been freed. This flaw can potentially be exploited to gain code execution with kernel privileges or to crash the system, leading to loss of availability. The weakness is classified as both CWE\u2011416 and CWE\u2011825. Based on the description, the likely attack vector is local or privileged access that triggers the rfkill workqueue during interface shutdown.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high impact vulnerability. The EPSS score is below 1\u202f%, suggesting a low probability of active exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need local or privileged access to the affected system, or improperly secure Wi\u2011Fi configuration that could trigger the faulty workqueue. Based on the description, the likely attack vector is local or privileged access that triggers the rfkill workqueue during interface shutdown. Because the flaw can lead to kernel panic or code execution, it should be considered a critical patching priority."}}}}, "created": "2026-03-25T21:32:17.777493+00:00", "updated": "2026-04-28T22:15:41.361388+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}