CVE-2026-23444
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.13%• Percentile: 3%
Techniques & Countermeasures
- CWE-401•Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Affected Systems
- linux•linux
≥ 06be6b149f7e406bcf16098567f5a6c9f042bced, < 905ef207d5ed99ca64adfe39fba9ac46e434327a | ≥ 06be6b149f7e406bcf16098567f5a6c9f042bced, < 5ef8ca1c164786da24169af155c1ca1ff1353cf8 | ≥ 06be6b149f7e406bcf16098567f5a6c9f042bced, < 9a779d1f480e83720b5384adf165604e7ee226bd | ≥ 06be6b149f7e406bcf16098567f5a6c9f042bced, < f77b51bcee7be2bb686b5f7a2d4a1921e4bdb9f4 | ≥ 06be6b149f7e406bcf16098567f5a6c9f042bced, < 3b4d27acafaeab478fd24f79ad6e593a892828b9 | ≥ 06be6b149f7e406bcf16098567f5a6c9f042bced, < 06e769dddcbeb3baf2ce346273b53dd61fdbecf4 | ≥ 06be6b149f7e406bcf16098567f5a6c9f042bced, < 50f1b690b4868923fbd242298def2fb88662f108 | ≥ 06be6b149f7e406bcf16098567f5a6c9f042bced, < d5ad6ab61cbd89afdb60881f6274f74328af3ee9 | 3.13
- linux•linux_kernel
≥ 3.13.1, < 6.18.20 | ≥ 6.19, < 6.19.10 | 3.13 | 7.0:rc1 | 7.0:rc2 | 7.0:rc3 | 7.0:rc4 | 7.0:rc5 | 7.0:rc6 | 7.0:rc7
References (8)
- https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4
- https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108
- https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9
- https://git.kernel.org/stable/c/f77b51bcee7be2bb686b5f7a2d4a1921e4bdb9f4
- https://git.kernel.org/stable/c/3b4d27acafaeab478fd24f79ad6e593a892828b9
- https://git.kernel.org/stable/c/905ef207d5ed99ca64adfe39fba9ac46e434327a
- https://git.kernel.org/stable/c/5ef8ca1c164786da24169af155c1ca1ff1353cf8
- https://git.kernel.org/stable/c/9a779d1f480e83720b5384adf165604e7ee226bd