CVE-2026-23336 Overview
CVE-2026-23336 is a use-after-free vulnerability [CWE-416] in the Linux kernel's cfg80211 wireless configuration subsystem. The flaw resides in the wireless rfkill workqueue path, where cfg80211_rfkill_block_work is not cancelled when a wiphy is unregistered. A kernel worker can dereference freed memory inside cfg80211_shutdown_all_interfaces, as detected by syzkaller and confirmed via KASAN.
The issue affects multiple Linux kernel branches, including stable 6.x series and 7.0 release candidates. Exploitation requires local access and low privileges, with the potential to corrupt kernel memory and impact confidentiality, integrity, and availability of the host.
Critical Impact
A local attacker triggering wiphy unregister races can free memory still referenced by the rfkill block worker, leading to kernel memory corruption and potential local privilege escalation.
Affected Products
- Linux kernel stable branches prior to the fixes referenced in the upstream commits
- Linux kernel 2.6.31 and later releases incorporating the cfg80211 rfkill_block work path
- Linux kernel 7.0 release candidates rc1 through rc7
Discovery Timeline
- 2026-03-25 - CVE-2026-23336 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-23336
Vulnerability Analysis
The bug is a classic use-after-free in the Linux kernel wireless stack. The cfg80211 subsystem schedules an asynchronous workqueue item, cfg80211_rfkill_block_work, to handle rfkill state changes for a registered wiphy device. When the wiphy is unregistered, the surrounding data structures are torn down, but the pending rfkill_block work is not cancelled.
If the worker runs after teardown begins, it calls cfg80211_shutdown_all_interfaces against memory that has already been freed. KASAN captured a read of size 8 at a freed address, with the call chain cfg80211_rfkill_block_work → cfg80211_shutdown_all_interfaces. The fix cancels the rfkill_block work inside wiphy_unregister() to synchronize teardown with any in-flight worker.
Root Cause
The root cause is missing synchronization between the wiphy lifecycle and a deferred workqueue handler. The wiphy_unregister() function did not invoke cancel_work_sync() on the rfkill_block work item, allowing the worker to observe a partially or fully freed wiphy. This is a lifetime management defect rather than a logic error in the worker itself.
Attack Vector
The attack vector is local. A user with sufficient privileges to influence wireless device registration, rfkill state, or namespace teardown can race a wiphy unregister against pending rfkill state changes. Syzkaller reproduced the condition under a QEMU test harness, indicating that the race is reachable through standard kernel interfaces exposed to local userspace, including network namespace manipulation and rfkill ioctls.
No public exploit code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The fix is distributed across multiple stable backport commits referenced in the upstream advisories.
Detection Methods for CVE-2026-23336
Indicators of Compromise
- Kernel oops or KASAN reports referencing cfg80211_shutdown_all_interfaces or cfg80211_rfkill_block_work in dmesg or syslog
- Unexpected kernel panics or soft lockups in kworker threads handling events workqueues during wireless device removal or namespace teardown
- Repeated rfkill state transitions immediately preceding wiphy unregister events in audit logs
Detection Strategies
- Enable KASAN (CONFIG_KASAN) on test and staging kernels to surface use-after-free reads from the cfg80211 path
- Monitor dmesg for BUG: KASAN: use-after-free strings tied to wireless symbols and forward those events to centralized logging
- Inventory running kernel versions against the patched commit hashes such as 57e39fe8da57, 767d23ade706, and 82a35356b5c1
Monitoring Recommendations
- Forward kernel ring buffer events from Linux endpoints into a centralized log pipeline for retroactive search
- Alert on creation of wireless namespaces or repeated wiphy registrations by non-root users on multi-tenant hosts
- Track installation of out-of-tree wireless drivers that may delay vendor patch adoption
How to Mitigate CVE-2026-23336
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that includes the upstream fix cancelling rfkill_block work in wiphy_unregister()
- Restrict local shell access on systems exposing wireless interfaces, including containers with CAP_NET_ADMIN
- Audit running kernels against the fix commits in Kernel Git Commit Update 1 and Kernel Git Commit Update 4
Patch Information
The upstream fix cancels the corresponding rfkill_block work item during wiphy_unregister(), eliminating the race. Backports are available in stable trees through commits 57e39fe8da57, 584279ad9ff1, 767d23ade706, 82a35356b5c1, b2e9626a9d16, cd2f52944c7b, eeea8da43ab8, and fa18639deab4. Rebuild and reboot affected systems after applying.
Workarounds
- Disable or blacklist the cfg80211 and dependent wireless modules on systems that do not require wireless functionality, such as servers and virtual machines
- Restrict unprivileged user namespace creation by setting kernel.unprivileged_userns_clone=0 to reduce local attack surface
- Remove CAP_NET_ADMIN from untrusted workloads and containers to prevent rfkill and wiphy manipulation
# Configuration example
# Verify running kernel version
uname -r
# Blacklist cfg80211 on hosts that do not need wireless
echo 'blacklist cfg80211' | sudo tee /etc/modprobe.d/disable-cfg80211.conf
# Restrict unprivileged user namespaces
echo 'kernel.unprivileged_userns_clone=0' | sudo tee /etc/sysctl.d/99-userns.conf
sudo sysctl --system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
