CVE-2026-23185
Published: 14 February 2026
Summary
CVE-2026-23185 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23185 is a use-after-free vulnerability (CWE-416) in the Linux kernel's iwlwifi driver, specifically within the multi-link device (MLD) subsystem. The issue arises because the mlo_scan_start_wk work item is not canceled upon disconnection, except during restart cleanup. This can lead to an init-after-queue problem if the work is queued and then drv_change_interface executes, or a use-after-free if the work runs after the virtual interface (vif) is freed. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-14.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes through the mishandled workqueue execution.
Mitigation involves applying the upstream kernel patches referenced in the stable branch commits at https://git.kernel.org/stable/c/5ff641011ab7fb63ea101251087745d9826e8ef5 and https://git.kernel.org/stable/c/9b9f52f052f4953fecd2190ae2dde3aa76d10962, which resolve the issue by properly canceling the mlo_scan_start_wk on disconnection.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5859
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_scan_start_wk mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to. This…
more
can cause an init-after-queue issue: if, for example, the work was queued and then drv_change_interface got executed. This can also cause use-after-free: if the work is executed after the vif is freed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in kernel driver directly enables privilege escalation via arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and correction of flaws, directly requiring application of kernel patches that cancel mlo_scan_start_wk on disconnection to eliminate the use-after-free vulnerability.
Provides memory protections like address space randomization and non-executable memory that mitigate exploitation of the use-after-free in the iwlwifi driver even prior to patching.
Requires vulnerability scanning to identify the presence of CVE-2026-23185 in kernel deployments, enabling prompt remediation.