CVE-2026-23336
Published: 25 March 2026
Summary
CVE-2026-23336 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through application of Linux kernel patches that cancel rfkill_block work in wiphy_unregister() directly eliminates the use-after-free vulnerability in cfg80211_shutdown_all_interfaces.
Memory protection mechanisms such as KASLR and SMEP mitigate exploitation of the use-after-free in cfg80211 by randomizing kernel memory layout and preventing arbitrary code execution from dangling pointers.
Secure kernel configuration settings, including hardening parameters and disabling unnecessary cfg80211 features, reduce exposure to the rfkill_block workqueue use-after-free during wiphy unregistration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in cfg80211 enables direct exploitation for privilege escalation to achieve arbitrary code execution.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 Read of size 8 at addr ffff888112a78d98 by…
more
task kworker/0:5/5326 CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events cfg80211_rfkill_block_work Call Trace: <TASK> dump_stack_lvl+0x116/0x1f0 print_report+0xcd/0x630 kasan_report+0xe0/0x110 cfg80211_shutdown_all_interfaces+0x213/0x220 cfg80211_rfkill_block_work+0x1e/0x30 process_one_work+0x9cf/0x1b70 worker_thread+0x6c8/0xf10 kthread+0x3c5/0x780 ret_from_fork+0x56d/0x700 ret_from_fork_asm+0x1a/0x30 </TASK> The problem arises due to the rfkill_block work is not cancelled when wiphy is being unregistered. In order to fix the issue cancel the corresponding work in wiphy_unregister(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Deeper analysisAI
CVE-2026-23336 is a use-after-free vulnerability in the Linux kernel's cfg80211 subsystem, specifically within the cfg80211_shutdown_all_interfaces function. The issue arises because the rfkill_block work is not cancelled during wiphy_unregister(), leading to a use-after-free error as reported by the Kernel Address Sanitizer (KASAN) in a syzkaller test case. This affects Linux kernel versions prior to the application of the relevant stable patches, with an associated CWE-416.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.8. Exploitation requires low complexity and no user interaction, potentially allowing the attacker to achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or kernel crashes via the dangling reference in the rfkill_block workqueue.
Mitigation is provided through upstream kernel patches available in the stable repository, including commits 57e39fe8da573435fa35975f414f4dc17d9f8449, 584279ad9ff1e8e7c5494b9fce286201f7d1f9e2, 767d23ade706d5fa51c36168e92a9c5533c351a1, 82a35356b5c1f75fe6a8a561db44e8d0e49da8f9, and b2e9626a9d16b9bbbd06498c9e73c93be354dc7a. These patches fix the issue by explicitly cancelling the rfkill_block work in wiphy_unregister(). Security practitioners should ensure kernels are updated to incorporate these changes.
Details
- CWE(s)