wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()_CVE-2026-23336

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()

There is a use-after-free error in cfg80211_shutdown_all_interfaces found
by syzkaller:

BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220
Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326
CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events cfg80211_rfkill_block_work
Call Trace:
<TASK>
dump_stack_lvl+0x116/0x1f0
print_report+0xcd/0x630
kasan_report+0xe0/0x110
cfg80211_shutdown_all_interfaces+0x213/0x220
cfg80211_rfkill_block_work+0x1e/0x30
process_one_work+0x9cf/0x1b70
worker_thread+0x6c8/0xf10
kthread+0x3c5/0x780
ret_from_fork+0x56d/0x700
ret_from_fork_asm+0x1a/0x30
</TASK>

The problem arises due to the rfkill_block work is not cancelled when wiphy
is being unregistered. In order to fix the issue cancel the corresponding
work in wiphy_unregister().

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Basic Information

ID CVE-2026-23336

Source Linux

Published Mar 25, 2026 at 10:27

Modified Apr 2, 2026 at 14:44

Affected Product

Vendor Linux

Product Linux

Version 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3

Affected Versions Linux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3
Linux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3
Linux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3
Linux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3
Linux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3
Linux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3
Linux Linux 2.6.31

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel rfkill_block work in wiphy_unregister()\n\nThere is a use-after-free error in cfg80211_shutdown_all_interfaces found\nby syzkaller:\n\nBUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220\nRead of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326\nCPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: events cfg80211_rfkill_block_work\nCall Trace:\n <TASK>\n dump_stack_lvl+0x116/0x1f0\n print_report+0xcd/0x630\n kasan_report+0xe0/0x110\n cfg80211_shutdown_all_interfaces+0x213/0x220\n cfg80211_rfkill_block_work+0x1e/0x30\n process_one_work+0x9cf/0x1b70\n worker_thread+0x6c8/0xf10\n kthread+0x3c5/0x780\n ret_from_fork+0x56d/0x700\n ret_from_fork_asm+0x1a/0x30\n </TASK>\n\nThe problem arises due to the rfkill_block work is not cancelled when wiphy\nis being unregistered. In order to fix the issue cancel the corresponding\nwork in wiphy_unregister().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.",
    "published": "2026-03-25T10:27:26.061Z",
    "modified": "2026-04-02T14:44:17.632Z",
    "type": "cve",
    "title": "wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/eeea8da43ab86ac0a6b9cec225eec91564346940\nhttps://git.kernel.org/stable/c/fa18639deab4a3662d543200c5bfc29bf4e23173\nhttps://git.kernel.org/stable/c/57e39fe8da573435fa35975f414f4dc17d9f8449\nhttps://git.kernel.org/stable/c/584279ad9ff1e8e7c5494b9fce286201f7d1f9e2\nhttps://git.kernel.org/stable/c/cd2f52944c7b95dcdfe0d87f385a2d96458a3ae5\nhttps://git.kernel.org/stable/c/767d23ade706d5fa51c36168e92a9c5533c351a1",
    "id": "CVE-2026-23336",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3\nLinux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3\nLinux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3\nLinux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3\nLinux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3\nLinux Linux 1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3\nLinux Linux 2.6.31",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "1f87f7d3a3b42b20f34cb03f0fd1a41c3d0e27f3",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply