HIGH
iwlwifi MLO Work Queue UAF
CVE-2026-23185
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_scan_start_wk mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to. This can cause an init-after-queue issue: if, for example, the work was queued and then drv_change_interface got executed. This can also cause use-after-free: if the work is executed after the vif is freed.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in Intel WiFi MLO (Multi-Link Operation) driver that could allow local attackers with physical access to cause system crashes or potentially execute code by triggering WiFi interface state changes that leave work queues pointing to freed memory.
Vulnerability analysis
Root Cause: The mlo_scan_start_wk delayed work queue was not properly canceled during WiFi interface disconnection or cleanup. The work could remain queued and execute after the associated virtual interface (vif) structure was freed, leading to use-after-free conditions.
Attack Surface: Local attack surface requiring physical access to a system with Intel WiFi hardware supporting Multi-Link Operation (MLO). The vulnerability is triggered through normal WiFi operations like interface changes or disconnections, making it reachable through standard network management operations.
Fix Mechanism: The patch moves the wiphy_delayed_work_cancel() call from the cleanup function to the station state transition function (iwl_mld_move_sta_state_down), ensuring the work is canceled during disconnection before the vif can be freed. This prevents the work from executing on freed memory.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.10 | 9b9f52f052f4 |
| mainline | 6.19 | 5ff641011ab7 |