PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23281 Linux CVE debrief

CVE-2026-23281 is a Linux kernel use-after-free in the libertas Wi‑Fi driver cleanup path. The bug affects lbs_free_adapter(), where non-synchronous timer teardown could allow a running timer callback to continue after the adapter structure was freed. That creates a memory safety issue in code that can touch driver state such as locks, command pointers, and device references. The issue is rated CVSS 7.8 (HIGH) with local, low-privileged attack conditions.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-22
Advisory published
2026-03-25
Advisory updated
2026-05-22

Who should care

Linux kernel maintainers, distribution security teams, embedded device vendors, and operators using kernels that include the libertas driver should care. Systems that actually load or ship the libertas Wi‑Fi stack are the most relevant targets, especially where kernel updates lag behind stable fixes.

Technical summary

According to the CVE record, lbs_free_adapter() used timer_delete() for both command_timer and tx_lockup_timer before freeing the containing structure. Because timer_delete() is non-synchronous, a timer callback could still be executing when lbs_cfg_free() releases the adapter memory. The callbacks lbs_cmd_timeout_handler and lbs_tx_lockup_handler access fields such as priv->driver_lock, priv->cur_cmd, and priv->dev, so a late callback can dereference freed memory. The fix is to use timer_delete_sync() so teardown waits for any running callback to complete. NVD maps the weakness to CWE-416 and lists affected kernel ranges ending at the patched stable releases.

Defensive priority

High. This is a kernel memory-safety flaw with high CVSS impact and local attack prerequisites. Prioritize patching any kernel deployment that includes the libertas driver, especially production, embedded, and long-lived systems.

Recommended defensive actions

  • Apply the upstream/stable kernel fixes referenced in the CVE record and reboot into the updated kernel.
  • Verify whether your kernel builds include the libertas driver and whether the affected ranges apply to your release line.
  • Track the patched stable release boundaries listed by NVD for your branch: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.17, 6.19.7, or the 7.0-rc1 fix stream.
  • If you maintain a custom kernel, backport the timer_delete_sync() cleanup change to the libertas driver.
  • Prioritize updates on systems with Wi‑Fi hardware or images that ship the libertas module, even if the driver is not commonly used.

Evidence notes

Source corpus indicates CVE-2026-23281 was published on 2026-03-25 and modified on 2026-05-22. The NVD record is analyzed, maps the issue to CWE-416, and gives CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 HIGH). The supplied description says the issue is a use-after-free in lbs_free_adapter() caused by non-synchronous timer deletion and identifies timer_delete_sync() as the fix. The NVD references include multiple official kernel patch links on git.kernel.org/stable.

Official resources

Publicly disclosed in the CVE record on 2026-03-25 and updated in NVD on 2026-05-22. This debrief is based only on the supplied official record and linked kernel patch references.