HIGH
mac80211 TX Prepare Memory Leak
CVE-2026-23444
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc.
02KernelScan AI Analysis
Risk summary
A memory leak in the WiFi subsystem's packet preparation function can cause gradual kernel memory exhaustion. While not directly exploitable for code execution, repeated triggering of the vulnerable code path through WiFi operations could lead to denial of service by consuming available kernel memory.
Vulnerability analysis
Root Cause: The ieee80211_tx_prepare_skb() function has inconsistent memory management across its three error paths. When ieee80211_tx_prepare() returns TX_DROP (first error path), the function returns false but does not free the skb, while the other two error paths (invoke_tx_handlers() failure and fragmentation check) do free the skb. This creates an inconsistent API contract where callers cannot reliably know whether they need to free the skb on failure.
Attack Surface: This affects WiFi drivers that use the ieee80211_tx_prepare_skb() helper function. The vulnerability requires local access to trigger WiFi operations that would cause the TX_DROP error path, such as probe requests during scanning or power save frame transmission. The memory leak occurs in kernel space and could lead to resource exhaustion over time.
Fix Mechanism: The patch adds kfree_skb() to the first error path to make all three error paths consistent in freeing the skb. It also removes redundant kfree_skb() calls from wireless drivers (ath9k, mt76, mac80211_hwsim) that were compensating for this inconsistency, preventing potential double-free issues. The function's kdoc is updated to document the ownership guarantee that the skb is always freed on failure.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 905ef207d5ed |
| 5.15 | 5.15.209 | 5ef8ca1c1647 |
| 6.1 | 6.1.175 | 9a779d1f480e |
| 6.12 | 6.12.84 | 3b4d27acafae |
| 6.18 | 6.18.20 | 06e769dddcbe |
| 6.19 | 6.19.10 | 50f1b690b486 |
| 6.6 | 6.6.136 | f77b51bcee7b |
| mainline | 7.0 | d5ad6ab61cbd |