Cyber Resilience

CVE-2026-23185

High

Published: 14 February 2026

Published
14 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23185 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23185 is a use-after-free vulnerability (CWE-416) in the Linux kernel's iwlwifi driver, specifically within the multi-link device (MLD) subsystem. The issue arises because the mlo_scan_start_wk work item is not canceled upon disconnection, except during restart cleanup. This can lead to an init-after-queue problem if the work is queued and then drv_change_interface executes, or a use-after-free if the work runs after the virtual interface (vif) is freed. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-14.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes through the mishandled workqueue execution.

Mitigation involves applying the upstream kernel patches referenced in the stable branch commits at https://git.kernel.org/stable/c/5ff641011ab7fb63ea101251087745d9826e8ef5 and https://git.kernel.org/stable/c/9b9f52f052f4953fecd2190ae2dde3aa76d10962, which resolve the issue by properly canceling the mlo_scan_start_wk on disconnection.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_scan_start_wk mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to. This…

more

can cause an init-after-queue issue: if, for example, the work was queued and then drv_change_interface got executed. This can also cause use-after-free: if the work is executed after the vif is freed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in kernel driver directly enables privilege escalation via arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 6.17 — 6.18.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and correction of flaws, directly requiring application of kernel patches that cancel mlo_scan_start_wk on disconnection to eliminate the use-after-free vulnerability.

prevent

Provides memory protections like address space randomization and non-executable memory that mitigate exploitation of the use-after-free in the iwlwifi driver even prior to patching.

detect

Requires vulnerability scanning to identify the presence of CVE-2026-23185 in kernel deployments, enabling prompt remediation.

References