CVE-2026-23336 Wi‑Fi cfg80211 rfkill UAF: Fix Work Cancel in wiphy_unregister

  • Thread Author
The Linux kernel’s CVE-2026-23336 is a classic example of a small-looking race condition with outsized consequences: a use-after-free in the Wi-Fi configuration stack, specifically around cfg80211 and rfkill_block work. The upstream fix is straightforward in concept—cancel the pending work during wiphy_unregister()—but the bug itself is a reminder that kernel cleanup paths are just as security-sensitive as the feature code that creates objects in the first place. The issue was found by syzkaller and reported through the Linux Verification Center, with NVD’s record still awaiting enrichment at publication time, which means downstream users should treat the fix as real even before severity scoring settles. Microsoft’s update guide has already surfaced the CVE as part of its cross-platform vulnerability tracking, underscoring how Linux kernel defects now sit inside a broader enterprise patch-management workflow vulnerability sits in the Linux wireless stack, an area that tends to look routine until teardown paths collide with asynchronous worker queues. The cfg80211 subsystem is the kernel’s core Wi-Fi configuration layer, and rfkill is the mechanism used to represent hardware and software radio blocking. In normal operation, the two systems cooperate quietly; in failure cases, they can leave behind deferred work that still expects the underlying wiphy object to exist. That is exactly the sort of lifetime mismatch that produces use-after-free bugs, especially when unregistering a device while work items are still pending.
The signal that matters most here is the bug class itself. A use-after-free is not merely a crash bug; it is a memory-safety defect, and in kernel space that immediately raises the stakes. Even when exploitation is not obvious, stale pointers in the kernel can lead to data corruption, privilege escalation, denial of service, or unpredictable system behavior. The syzkaller report embedded in the CVE description shows KASAN detecting a read from freed memory inside cfg80211_shutdown_all_interfaces, with the call trace flowing through cfg80211_rfkill_block_work—a very strong indicator that teardown failed to cancel an outstanding worker before the object it referenced went away
The release timing E was received from kernel.org on March 25, 2026, and NVD’s record notes that the vulnerability description is derived from upstream kernel information. In practice, that means the authoritative fix path is already in the kernel maintenance pipeline, even if some vulnerability databases have not yet assigned a final CVSS score. For administrators, the absence of a score is not a reason to wait; it is a reason to verify which vendor kernel builds include the backport and to map that against the fleet. NVD’s “awaiting analysis” status should be read as administrative lag, not as evidence that the bug is unimportant
There is also a broader ecosystem point.ility guide is already referencing CVE-2026-23336, which is one more sign that Linux kernel CVEs are no longer confined to distro advisories and kernel mailing lists. They now flow into enterprise remediation platforms, security dashboards, and mixed-OS patching workflows. That matters because many organizations manage Linux guests, cloud images, and appliance firmware alongside Windows endpoints, and they need one canonical identifier even when the fix is vendor-specific. The CVE identifier becomes the hinge between upstream kernel engineering and downstream remediation operations

What Actually Went Wrong​

At the technical center of the bug is a simple but dangerous sequencing error. The rfkill_block work item was still queued or runnable when wiphy_unregister() began tearing down the wireless phy object. That means a worker thread could later execute code assuming the wiphy and related cfg80211 state were still valid, when in fact they had already been freed. The result, as syzkaller demonstrated, was a KASAN-detected read in cfg80211_shutdown_all_interfaces during the deferr
The important detail is not just that there was work in flight, but that the work was asynchronous. Kernel workqueues are efficient precisely because they decouple execution from the originating event, but that also means object lifetime must be managed explicitly. If the owner disappears before the worker runs, the worker must be canceled or otherwise fenced off. In this case, the fix is to cancel the corresponding work during wiphy_unregister(), which closes the hole by ensuring the teardown path drains the deferred operation before memory is reclaimedse bugs that looks obvious after the fact and invisible before it. The unregister path probably worked fine in ordinary testing because most paths did not hit the exact timing window. But fuzzing tools like syzkaller are very good at creating the sort of scheduler interleavings humans rarely think to test. That is why this family of defects keeps recurring across kernel subsystems: the code is usually correct in the “single-threaded story” and wrong in the “real scheduler story.” That mismatch is where memory corruption lives.

Why workqueue lifetime bugs are so hard​

Workqueue bugs are notoriously slippery because the code often appears to clean up the obvious objects while forgetting the deferred ones. The main object gets freed, the list nodes are detached, and the driver looks “done.” But a delayed callback can still hold a stale pointer in its closure, private data, or derived state. When that callback fires later, it resurrects a dead object in software.
In this case, the worker name is telling: cfg80211_rfkill_block_work. That means the bug lives at the intersection of radio blocking policy and wireless device teardown. Those are not exotic features, but they do involve state that can change late in shutdown, especially if device removal, radio blocking, or system suspend/resume happen close together. If the unregister code does not explicitly cancel that work, then the kernel has effectively left a time bomb on the queue.
  • Asynchronous callbacks must be canceled before object free
  • Teardown order matters as much as initialization order
  • Syzkaller is especially effective against lifetime mistakes
  • KASAN reports usually point to real memory-safety hazards
  • Wireless cleanup paths are often more complex than they look

The Role of cfg80211 and rfkill​

The cfg80211 layer is the brain behind much of Linux’s wireless configuration, translating higher-level policy into device-specific actions. It is broad, foundational, and highly stateful. When it interacts with rfkill, it has to respect both hardware state and software policy, which means the code path is full of deferred operations and edge cases. That is exactly why lifetime discipline matters so much in this subsystem.
The rfkill_block work likely exists to synchronize a radio-blocked state with the rest of the wireless stack after a transition. Deferred work is a natural fit for that job, because some state updates are safest outside interrupt context or outside the immediate control path. But once work is deferred, it has its own schedule, and the objects it references must remain alive until it completes. If that contract breaks, the kernel can end up executing cleanup logic on a freed wiphy, which is what the syzkaller report exposed
This is also a remugs are often born out of correct abstractions used in an incomplete way. Workqueues, wiphy objects, and rfkill state are each reasonable design choices. The defect emerges from the gap between them: one side thinks the device is still valid, while the other side has already committed to destroying it. That kind of semantic drift is exactly what makes kernel vulnerabilities hard to spot in code review.

Why this matters beyond Wi-Fi enthusiasts​

The impact is not limited to hobbyist laptops. The cfg80211 layer is in the path for a large amount of Linux wireless hardware, from consumer notebooks to enterprise endpoints, embedded appliances, and development boards. Any environment that uses wireless networking and carries kernel builds with the vulnerable code could be exposed, depending on the exact backport status and distro packaging.
For consumers, the risk is probably most visible as instability, kernel warnings, or rare crashes during device removal and radio state changes. For enterprises, the story is more about fleet reliability and patch hygiene. A memory-safety bug in a widely deployed kernel subsystem is a patch-now item even when the practical exploit story is unclear.
  • Consumer impact is likely narrower but still real
  • Enterprise impact depends on fleet-wide kernel exposure
  • Embedded systems may linger on vulnerable builds longer
  • Unmanaged systems often miss driver-layer fixes
  • Security teams should not ignore “just Wi-Fi” CVEs

Syzkaller, KASAN, and the Value of Fuzzing​

The CVE description makes the detection story very clear: syzkaller found the issue, and KASAN caught the use-after-free. That combination is almost a textbook example of modern kernel hardening working as intended. Syzkaller is especially good at exploring weird state combinations, while KASAN is excellent at flagging memory accesses to freed regions. Together, they are much more effective than manual testing alone at uncovering the kind of teardown race that hides in the tail end of device lifetime.
There is a reason kernel maintainers take these reports seriously even when the resulting exploitability is not immediately obvious. A KASAN-reported UAF is not a harmless warning to be filed away; it is evidence that the kernel has already violated its memory ownership rules. Even if the visible symptom is “only” a crash in a test environment, the same bug can often be transformed into something worse on production systems with different timing, compiler settings, or hardware behavior.
The Linux Verification Center’s role is also worth noting. Public vulnerability records increasingly depend on a chain of contributors—fuzzers, sanitizers, maintainers, stable branch managers, and public advisory systems. That means remediation has become a distributed process. The good news is that the pipeline is maturing; the downside is that organizations now have to pay attention to more than one source of truth.

What the stack trace tells us​

The call trace in the CVE description is more than just a debugging artifact. It shows the worker thread reaching cfg80211_rfkill_block_work, then calling into cfg80211_shutdown_all_interfaces, where the invalid read occurs. That strongly suggests the freed object was still referenced by cleanup logic that assumed the radio-block operation could safely complete later.
This kind of evidence narrows the fix space. It is not a deep protocol mismatch or an obscure arithmetic error. It is a missing cancellation step in object teardown. That makes the kernel patch relatively small, but it also means the bug may have been present across multiple builds until the specific unregister path was amended.
  • A worker is queued for rfkill block handling.
  • wiphy_unregister() starts tearing down the wireless device.
  • The deferred worker later executes.
  • The worker touches memory already freed by unregister.
  • KASAN catches the invalid access during testing.

Upstream Fix and Patch Scope​

The upstream resolution is as concise as kernel fixes often are: cancel the rfkill_block work in wiphy_unregister(). That sort of change is easy to summarize and deceptively powerful in practice. It does not redesign the subsystem, and it does not add broad locking. Instead, it restores the object lifetime contract that the worker path was already assuming.
That narrow scope is a strength. Kernel patches are often most robust when they fix the lifetime boundary directly rather than adding a larger synchronization scheme that can drag in performance penalties or new contention. Here, the cleanest answer appears to be to make sure the worker cannot run once the device is in teardown. It is the kind of fix that stable maintainers tend to like because it is surgical and easy to reason about.
The multiple stable references attached to the CVE are a sign that the fix has already been propagated through the kernel maintenance ecosystem. That is important for downstream vendors, because they may carry the patch under their own backport numbering or include it in a broader wireless stack update. In other words, the presence of the CVE alone does not tell you whether you are safe; the exact kernel build does.

Why small fixes can be the best fixes​

Kernel security teams often face a choice between a local fix and a broader structural change. In this case, the local fix is the right one. Canceling the work in wiphy_unregister() is aligned with the bug’s root cause, and it avoids introducing unrelated behavior changes into a sensitive subsystem. That is exactly the kind of patch that stands a good chance of surviving stable backporting.
The fix also illustrates a broader engineering principle: when a bug comes from bad cleanup ordering, the safest response is usually to make the cleanup path authoritative. Once the system decides an object is gone, no deferred helper should still believe otherwise. That is not glamorous, but it is how kernel memory safety is preserved.
  • The patch is narrowly targeted
  • The fix is compatible with stable backporting
  • It addresses the teardown boundary directly
  • It avoids unnecessary behavioral churn
  • It lowers the risk of regression elsewhere

Enterprise and Consumer Exposure​

From a consumer perspective, the practical exposure depends on whether the machine uses the vulnerable kernel path and whether it exercises the relevant rfkill/wiphy teardown sequence. That means many desktop users may never notice the bug directly. But “unlikely to trigger” is not the same thing as “safe to ignore,” especially when the defect is in the kernel’s memory-management domain.
Enterprise exposure is broader and more consequential. Linux fleets often include notebooks, wireless workstations, remote-access endpoints, and embedded devices that may suspend, resume, and reconfigure radio state often enough to make the bug more likely to matter. Even when the issue is not exploitable in a clean remote attack scenario, it can still cause crashes, unexpected behavior, or operational noise that affects support teams and uptime.
There is also a patch-management distinction to keep in mind. A workstation fleet can often absorb a kernel update quickly, but embedded or appliance-style deployments may lag behind because they require regression testing and vendor sign-off. That lag is where CVEs like this become significant: not because they dominate the news cycle, but because they remain quietly present in long-lived systems.

Who should care most​

Wireless-heavy environments should care first. So should vendors shipping custom kernels with cfg80211 enabled, especially if they integrate rfkill features or manage hardware radios in software. Security teams should also care because a kernel UAF is a memory-safety issue, and memory-safety issues are exactly the sort of defects that can have consequences beyond their immediate description.
  • Laptops and mobile endpoints are natural candidates
  • Embedded Linux devices may carry the risk longer
  • Wireless appliance vendors should verify backports
  • Enterprise patch teams should treat it as a real kernel update
  • Security operations should track fixed build numbers, not just CVE IDs

Microsoft’s Role in the Advisory Ecosystem​

It is notable that Microsoft’s vulnerability portal is already publishing this CVE entry. That does not mean Microsoft created the issue or controls the fix. It means Microsoft is acting as a distribution point for vulnerability intelligence across the broader software ecosystem, including Linux. For modern enterprises, that is useful because many security teams consume one dashboard for multiple platforms.
This matters more than it may first appear. A Linux CVE in Microsoft’s update guide becomes visible to teams that manage mixed infrastructure and may not live in kernel mailing lists or distro security trackers every day. In a large organization, that centralization can reduce missed updates, even if the final patch still comes from a Linux vendor or an upstream kernel backport.
The practical downside is that such portals can make the lifecycle look more unified than it really is. The advisory may be Microsoft-hosted, but the actual remediation depends on kernel versioning, distro packaging, and whether the vendor has already imported the fix. That is why organizations need to check both the advisory and the exact build lineage before declaring a system remediated.

Why cross-platform visibility matters​

Security operations has become a blended discipline. Linux guests, Windows endpoints, container hosts, cloud images, and appliance firmware are often handled by the same teams and the same tooling. The more integrated the estate, the more valuable a shared CVE record becomes. Microsoft’s publication of CVE-2026-23336 is a sign that Linux kernel security now lives inside that cross-platform workflow.
It also hints at a larger market truth: visibility is one thing, remediation another. Enterprises want a single place to learn about the issue, but they still need platform-specific actions to fix it. That split is not a bug in the ecosystem; it is simply the price of operating heterogeneous infrastructure at scale.
  • Microsoft surfaces the CVE for enterprise triage
  • Upstream Linux maintainers supply the technical fix
  • Downstream vendors determine the shipped build
  • Security teams need a single canonical identifier
  • Operational remediation still happens per platform

Strengths and Opportunities​

This case shows the Linux security process working in a healthy way: fuzzing found the bug, sanitizers confirmed it, maintainers have a clear fix, and the vulnerability is now visible in the broader advisory ecosystem. The opportunity now is for vendors and operators to use this as a cue to tighten teardown discipline across adjacent wireless paths. It is also a useful reminder that small lifecycle fixes can prevent much larger reliability and security problems later.
  • A clear upstream fix exists
  • The issue was caught before widespread exploitation
  • The patch is small enough for stable backports
  • Enterprise tooling can track it via a public CVE
  • The bug reinforces good teardown hygiene
  • Wireless subsystems can be audited for similar workqueue issues
  • Sanitizer-driven testing continues to prove its value

Risks and Concerns​

The biggest concern is not that this bug has a dramatic public exploit chain; it is that kernel lifetime bugs can be misunderstood. Some teams will underestimate the issue because it is “just Wi-Fi,” while others may overestimate it without verifying whether their exact build is affected. The other worry is patch lag: the vulnerable code may remain in vendor kernels or embedded images long after the upstream fix is public.
  • Patch lag in vendor kernels can extend exposure
  • Embedded devices may be slow to update
  • Users may underestimate the bug because NVD has no score yet
  • Fleet teams may miss the exact fixed build
  • A UAF in teardown code can be more dangerous than it first appears
  • Cross-platform advisory systems can confuse ownership of the fix
  • Related cfg80211 or rfkill paths may deserve a broader audit

What to Watch Next​

The first thing to watch is downstream uptake. Stable kernels and vendor distributions should absorb the fix quickly, but real-world exposure depends on packaging, backport strategy, and whether the change made it into the builds actually deployed in fleets. The second thing to watch is whether maintainers audit nearby cfg80211 and rfkill cleanup paths for similar missing cancellations. Bugs like this rarely live alone.
The third thing to watch is severity calibration. NVD had not yet assigned a CVSS score at the time of publication, so vendors may frame the issue differently depending on whether they emphasize crash potential, memory-safety implications, or practical exposure. For administrators, the key is not the numeric score but whether the running kernel includes the fix.
  • Downstream stable and vendor backports
  • Any adjacent cleanup bugs in cfg80211
  • Vendor severity guidance and advisory wording
  • Exact fixed build numbers in fleet inventories
  • Whether the issue appears in appliance or embedded kernels
A good kernel security program treats bugs like CVE-2026-23336 as more than a one-line advisory. It is evidence that asynchronous teardown, object lifetime, and driver state still demand constant scrutiny, even in mature subsystems. The fix is straightforward, but the lesson is broader: in kernel space, cleanup is part of security, and any object that can be touched after free has already crossed a line that should never have been reached.
Source: NVD / Linux Kernel Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
Kernel cfg80211 CVE-2025-37973 patch and Azure Linux attestation
Replies
0
Views
11
ChatGPT
  • Article Article
Linux Wireless Use After Free CVE-2025-21979 Patch Cancels Wiphy Work Before Free
Replies
0
Views
3
ChatGPT
  • Article Article
CVE-2026-23231: Linux nf_tables UAF Fix with synchronize_rcu
Replies
0
Views
9
ChatGPT
  • Article Article
Linux NFC CVE-2026-23330 Fix: Complete In-Flight Exchange on Device Close
Replies
0
Views
1
ChatGPT
  • Article Article
CVE-2026-22999: Linux QFQ Kernel UAF Fix and Impact
Replies
0
Views
3
ChatGPT