Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2026-23281— wifi: libertas: fix use-after-free in lbs_free_adapter()

AI Predicted 7.8 Difficulty: Moderate EPSS 0.02% · P5

Possible ATT&CK Techniques 1AI

T1059 · Command and Scripting Interpreter

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinux954ee164f4f4598afc172c0ec3865d0352e55a0b< b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4affected
954ee164f4f4598afc172c0ec3865d0352e55a0b< 09f3c30ab3b1371eaf9676a1b8add57bca763083affected
954ee164f4f4598afc172c0ec3865d0352e55a0b< 3f9dec4a6d95d7f1f5e9e9dfdfa173c053bba8dcaffected
954ee164f4f4598afc172c0ec3865d0352e55a0b< 3c5c818c78b03a1725f3dcd566865c77b48dd3a6affected
954ee164f4f4598afc172c0ec3865d0352e55a0b< d0155fe68f31b339961cf2d4f92937d57e9384e6affected
954ee164f4f4598afc172c0ec3865d0352e55a0b< ed7d30f90b77f73a47498686ede83f622b7e4f0daffected
954ee164f4f4598afc172c0ec3865d0352e55a0b< a9f55b14486426d907459bced5825a25063bd922affected
954ee164f4f4598afc172c0ec3865d0352e55a0b< 03cc8f90d0537fcd4985c3319b4fafbf2e3fb1f0affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-23281

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
wifi: libertas: fix use-after-free in lbs_free_adapter()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于使用非同步定时器删除,可能导致释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 954ee164f4f4598afc172c0ec3865d0352e55a0b ~ b15e0fa7adb4de3a03aee9e6fc4d83e5cf0a65e4 -
LinuxLinux 2.6.24 -

II. Public POCs for CVE-2026-23281

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-23281

登录查看更多情报信息。
Patch · 6

Same Patch Batch · Linux · 2026-03-25 · 116 CVEs total

CVE-2026-233958.8 HIGHBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
CVE-2026-317888.2 HIGHxen/privcmd: restrict usage in unprivileged domU
CVE-2026-232807.8 HIGHaccel/amdxdna: Prevent ubuf size overflow
CVE-2026-233177.8 HIGHdrm/vmwgfx: Return the correct value in vmw_translate_ptr functions
CVE-2026-233937.8 HIGHbridge: cfm: Fix race condition in peer_mep deletion
CVE-2026-233927.8 HIGHnetfilter: nf_tables: release flowtable after rcu grace period on error
CVE-2026-233917.8 HIGHnetfilter: xt_CT: drop pending enqueued packets on template removal
CVE-2026-233407.8 HIGHnet: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
CVE-2026-233727.8 HIGHnfc: rawsock: cancel tx_work before socket teardown
CVE-2026-232887.8 HIGHaccel/amdxdna: Fix out-of-bounds memset in command slot handling
CVE-2026-233067.8 HIGHscsi: pm8001: Fix use-after-free in pm8001_queue_command()
CVE-2026-233787.8 HIGHnet/sched: act_ife: Fix metalist update behavior
CVE-2026-233367.8 HIGHwifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
CVE-2026-233517.8 HIGHnetfilter: nft_set_pipapo: split gc into unlink and reclaim phase
CVE-2026-233507.8 HIGHdrm/xe/queue: Call fini on exec queue creation fail
CVE-2026-233837.8 HIGHbpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
CVE-2026-233647.4 HIGHksmbd: Compare MACs in constant time
CVE-2026-232947.0 HIGHbpf: Fix race in devmap on PREEMPT_RT
CVE-2026-23358drm/amdgpu: Fix error handling in slot reset
CVE-2026-23357can: mcp251x: fix deadlock in error path of mcp251x_open

Showing top 20 of 116 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-23281

No comments yet

Leave a comment