HIGH
cfg80211 RfkillBlock UAF
CVE-2026-23336
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events cfg80211_rfkill_block_work Call Trace: <TASK> dump_stack_lvl+0x116/0x1f0 print_report+0xcd/0x630 kasan_report+0xe0/0x110 cfg80211_shutdown_all_interfaces+0x213/0x220 cfg80211_rfkill_block_work+0x1e/0x30 process_one_work+0x9cf/0x1b70 worker_thread+0x6c8/0xf10 kthread+0x3c5/0x780 ret_from_fork+0x56d/0x700 ret_from_fork_asm+0x1a/0x30 </TASK> The problem arises due to the rfkill_block work is not cancelled when wiphy is being unregistered. In order to fix the issue cancel the corresponding work in wiphy_unregister(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
02KernelScan AI Analysis
Risk summary
A use-after-free vulnerability in the WiFi cfg80211 subsystem allows local attackers to potentially cause system crashes or execute arbitrary code. The bug occurs when WiFi devices are being removed or the system is shutting down, creating a race condition between work queue cleanup and memory deallocation. While exploitation requires local access, it could lead to privilege escalation or denial of service attacks.
Vulnerability analysis
Root Cause: The cfg80211 wireless subsystem fails to cancel the rfkill_block work queue when a wiphy device is being unregistered. This creates a race condition where the work queue can continue executing after the wiphy structure has been freed, leading to a use-after-free vulnerability when cfg80211_rfkill_block_work tries to access the freed wiphy data.
Attack Surface: This vulnerability affects systems with WiFi hardware that supports rfkill functionality. The bug is triggered during device unregistration, which can occur during normal operations like module unloading, device removal, or system shutdown. The vulnerability requires local access to trigger device state changes but does not require elevated privileges to exploit the race condition.
Fix Mechanism: The patch adds a single line `cancel_work_sync(&rdev->rfkill_block);` in the wiphy_unregister() function to synchronously cancel the rfkill_block work before proceeding with device cleanup. This ensures the work queue is properly terminated before the associated data structures are freed.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 82a35356b5c1 |
| 5.15 | 5.15.203 | b2e9626a9d16 |
| 6.1 | 6.1.167 | eeea8da43ab8 |
| 6.12 | 6.12.77 | 57e39fe8da57 |
| 6.18 | 6.18.17 | 584279ad9ff1 |
| 6.19 | 6.19.7 | cd2f52944c7b |
| 6.6 | 6.6.130 | fa18639deab4 |
| mainline | 7.0 | 767d23ade706 |