CVE-2026-23185

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mld: cancel mlo_scan_start_wk

mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to.

This can cause an init-after-queue issue: if, for example, the work was queued and then drv_change_interface got executed.

This can also cause use-after-free: if the work is executed after the vif is freed.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9748ad82a9d92b036ff3115207e36e2b9932e354 < 9b9f52f052f4953fecd2190ae2dde3aa76d10962affected
LinuxLinux9748ad82a9d92b036ff3115207e36e2b9932e354 < 5ff641011ab7fb63ea101251087745d9826e8ef5affected
LinuxLinux6.17affected
LinuxLinux0 < 6.17unaffected
LinuxLinux6.18.10 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

ADP Enrichment

kernel: wifi: iwlwifi: mld: cancel mlo_scan_start_wk

Additional References

References