Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-27T00:00:00 kernel: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-825

In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() The mwifiex_adapter_cleanup() function uses timer_delete() (non-synchronous) for the wakeup_timer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If the wakeup_timer callback (wakeup_timer_fn) is executing when mwifiex_adapter_cleanup() is called, the callback will continue to access adapter fields (adapter->hw_status, adapter->if_ops.card_reset, etc.) which may be freed by mwifiex_free_adapter() called later in the mwifiex_remove_card() path. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning.

A flaw was found in the Linux kernel's mwifiex Wi-Fi driver. The `mwifiex_adapter_cleanup()` function incorrectly uses a non-synchronous timer deletion, allowing the `wakeup_timer` callback to access memory after it has been freed. This use-after-free vulnerability can lead to system instability, crashes, or potentially arbitrary code execution, impacting the system's reliability and security.

Red Hat Enterprise Linux 10 Affected kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel Red Hat Enterprise Linux 7 Not affected kernel-rt Red Hat Enterprise Linux 8 Affected kernel Red Hat Enterprise Linux 8 Affected kernel-rt Red Hat Enterprise Linux 9 Affected kernel Red Hat Enterprise Linux 9 Affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-46069 https://nvd.nist.gov/vuln/detail/CVE-2026-46069 https://lore.kernel.org/linux-cve-announce/2026052757-CVE-2026-46069-b583@gregkh/T