CVE-2026-46069
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
A vulnerability has been identified in the Linux kernel within the mwifiex_adapter_cleanup() function that may lead to a use-after-free error. The issue arises when timer_delete() is called before the adapter structure is freed, potentially allowing access to freed adapter fields by an executing callback.
Risk Assessment
Organizations may be exposed to unpredictable system behavior, including potential crashes or security breaches, if an attacker exploits this vulnerability to gain access to memory.
Recommendation
It is recommended to update the Linux kernel to apply the fix that replaces timer_delete() with timer_delete_sync(), ensuring that all running callbacks are completed before freeing resources.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() The mwifiex_adapter_cleanup() function uses timer_delete() (non-synchronous) for the wakeup_timer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If the wakeup_timer callback (wakeup_timer_fn) is executing when mwifiex_adapter_cleanup() is called, the callback will continue to access adapter fields (adapter->hw_status, adapter->if_ops.card_reset, etc.) which may be freed by mwifiex_free_adapter() called later in the mwifiex_remove_card() path. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning.

