The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23133

CVE-2026-23133: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-23133 is a buffer overflow flaw in the Linux kernel's ath10k WiFi driver affecting DMA memory management. This article covers the technical details, affected kernel versions, security impact, and mitigation.

Published: February 20, 2026

CVE-2026-23133 Overview

A memory management vulnerability has been identified in the Linux kernel's ath10k WiFi driver. The flaw exists in the handling of DMA (Direct Memory Access) coherent memory allocations, where dma_free_coherent() incorrectly uses aligned addresses instead of the original unaligned addresses stored during allocation. This mismatch between allocation and deallocation pointers can lead to memory corruption or system instability.

Critical Impact

Systems using Qualcomm Atheros 802.11ac wireless network adapters with the ath10k driver may experience kernel memory corruption, potentially leading to system crashes or unpredictable behavior when wireless functionality is utilized.

Affected Products

  • Linux Kernel with ath10k WiFi driver
  • Systems using Qualcomm Atheros 802.11ac wireless adapters
  • Embedded Linux devices with ath10k-based wireless hardware

Discovery Timeline

  • 2026-02-14 - CVE CVE-2026-23133 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-23133

Vulnerability Analysis

The vulnerability resides in the ath10k wireless driver's DMA memory management routines. When dma_alloc_coherent() is called to allocate DMA-mapped buffers, the function stores both the CPU virtual address and the DMA bus address in fields designated as XXX_unaligned. These original unaligned addresses are essential for proper memory deallocation.

The bug occurs because the driver subsequently calculates aligned versions of these addresses for operational use but mistakenly passes these aligned addresses to dma_free_coherent() during cleanup. Since the DMA subsystem expects the exact pointer returned by the allocation function, using an aligned (modified) pointer results in attempting to free an incorrect memory region.

This class of memory management error can lead to kernel heap corruption, as the allocator's internal metadata becomes inconsistent. In WiFi drivers that frequently allocate and deallocate DMA buffers during normal operation (transmit/receive queues, firmware communication), this bug could trigger memory corruption under typical wireless workloads.

Root Cause

The root cause is an incorrect pointer being passed to dma_free_coherent(). The ath10k driver performs address alignment on DMA buffers for hardware requirements but fails to preserve and use the original unaligned pointers during deallocation. The XXX_unaligned fields that store the original allocation addresses should be consistently used for both allocation tracking and freeing operations.

Attack Vector

This vulnerability is primarily a stability and reliability issue rather than a remotely exploitable security flaw. The attack vector is limited as exploitation would require:

  • Local access to a system with an affected ath10k wireless adapter
  • Ability to trigger repeated allocation/deallocation cycles in the driver
  • Potential timing-dependent corruption that could be difficult to control

While direct remote exploitation is unlikely, the memory corruption could theoretically be leveraged as part of a multi-stage attack chain if an attacker can reliably trigger the corruption and predict memory layout. Systems with high wireless activity or those that frequently toggle wireless interfaces are at higher risk of encountering this bug.

Detection Methods for CVE-2026-23133

Indicators of Compromise

  • Kernel oops or panic messages referencing the ath10k module
  • SLUB/SLAB allocator warnings about invalid free operations in kernel logs
  • Wireless interface instability or unexpected disconnections
  • System crashes correlating with WiFi activity patterns

Detection Strategies

  • Monitor dmesg and /var/log/kern.log for DMA-related warnings or errors from the ath10k driver
  • Enable kernel memory debugging options (KASAN, SLUB_DEBUG) to detect heap corruption early
  • Review system logs for patterns indicating memory allocation failures in wireless subsystem
  • Use kernel tracing tools (ftrace, perf) to monitor dma_alloc_coherent and dma_free_coherent calls in ath10k

Monitoring Recommendations

  • Implement automated log monitoring for kernel crash reports involving wireless drivers
  • Deploy systems with kdump/kexec configured to capture crash dumps for analysis
  • Track system uptime anomalies on devices with ath10k wireless hardware
  • Consider enabling kernel lockdep and memory debugging on test systems to catch corruption early

How to Mitigate CVE-2026-23133

Immediate Actions Required

  • Update to a patched Linux kernel version containing the fix commits
  • If updating is not immediately possible, consider disabling the wireless interface on affected systems
  • Prioritize patching on systems where wireless stability is critical (embedded devices, access points)
  • Review kernel logs for evidence of prior corruption before patching

Patch Information

Multiple patches have been released to the Linux kernel stable branches to address this vulnerability. The fix ensures that dma_free_coherent() receives the original unaligned pointer stored during allocation rather than the aligned operational address. Apply the appropriate patch for your kernel version:

  • Kernel Patch Commit 07f363f
  • Kernel Patch Commit 1928851
  • Kernel Patch Commit 5d6fa4d
  • Kernel Patch Commit 9282a1e
  • Kernel Patch Commit b0ad924
  • Kernel Patch Commit e2dda29
  • Kernel Patch Commit fc8da65

Workarounds

  • Temporarily disable the ath10k wireless module using modprobe -r ath10k_pci if WiFi is not essential
  • Use alternative network connectivity (Ethernet, USB wireless adapters with different drivers) while awaiting patching
  • On embedded systems, consider building a custom kernel with the specific patch applied
  • Reduce wireless activity intensity on affected systems until patches can be deployed
bash
# Temporarily disable ath10k wireless driver
sudo modprobe -r ath10k_pci ath10k_core

# Blacklist the driver to prevent automatic loading (temporary workaround)
echo "blacklist ath10k_pci" | sudo tee /etc/modprobe.d/blacklist-ath10k.conf

# Check current kernel version before patching
uname -r

# Update kernel on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade linux-image-generic

# Update kernel on RHEL/CentOS systems
sudo yum update kernel

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Patch Commit 07f363f
  • Kernel Patch Commit 1928851
  • Kernel Patch Commit 5d6fa4d
  • Kernel Patch Commit 9282a1e
  • Kernel Patch Commit b0ad924
  • Kernel Patch Commit e2dda29
  • Kernel Patch Commit fc8da65
  • Related CVEs
  • CVE-2026-23407: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-23406: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-23397: Linux Kernel Buffer Overflow Vulnerability
  • CVE-2026-23323: Linux Kernel Buffer Overflow Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English