HOMEVULNERABILITIESCVE-2026-23281
NONE

CVE-2026-23281

Published: March 25, 2026· Updated: Mar 25, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: libertas: fix use-after-free in lbs_free_adapter()

The lbs_free_adapter() function uses timer_delete() (non-synchronous)

for both command_timer and tx_lockup_timer before the structure is

freed. This is incorrect because timer_delete() does not wait for

any running timer callback to complete.

If a timer callback is executing when lbs_free_adapter() is called,

the callback will access freed memory since lbs_cfg_free() frees the

containing structure immediately after lbs_free_adapter() returns.

Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler)

access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields,

which would all be use-after-free violations.

Use timer_delete_sync() instead to ensure any running timer callback

has completed before returning.

This bug was introduced in commit 8f641d93c38a ("libertas: detect TX

lockups and reset hardware") where del_timer() was used instead of

del_timer_sync() in the cleanup path. The command_timer has had the

same issue since the driver was first written.

NVD Source

Technical Analysis

CVE-2026-23281 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-23281
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23281 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.