CVE-2026-23185
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mld: cancel mlo_scan_start_wk
mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to.
This can cause an init-after-queue issue: if, for example, the work was queued and then drv_change_interface got executed.
This can also cause use-after-free: if the work is executed after the vif is freed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 9748ad82a9d92b036ff3115207e36e2b9932e354 < 9b9f52f052f4953fecd2190ae2dde3aa76d10962 | affected |
| Linux | Linux | 9748ad82a9d92b036ff3115207e36e2b9932e354 < 5ff641011ab7fb63ea101251087745d9826e8ef5 | affected |
| Linux | Linux | 6.17 | affected |
| Linux | Linux | 0 < 6.17 | unaffected |
| Linux | Linux | 6.18.10 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
ADP Enrichment
kernel: wifi: iwlwifi: mld: cancel mlo_scan_start_wk
Additional References
- https://access.redhat.com/security/cve/CVE-2026-23185
- https://bugzilla.redhat.com/show_bug.cgi?id=2439925
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23185.json
References
- https://git.kernel.org/stable/c/9b9f52f052f4953fecd2190ae2dde3aa76d10962
- https://git.kernel.org/stable/c/5ff641011ab7fb63ea101251087745d9826e8ef5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.