{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23444", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.019Z", "datePublished": "2026-04-03T15:15:28.464Z", "dateUpdated": "2026-04-03T15:15:28.464Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:28.464Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure\n\nieee80211_tx_prepare_skb() has three error paths, but only two of them\nfree the skb. The first error path (ieee80211_tx_prepare() returning\nTX_DROP) does not free it, while invoke_tx_handlers() failure and the\nfragmentation check both do.\n\nAdd kfree_skb() to the first error path so all three are consistent,\nand remove the now-redundant frees in callers (ath9k, mt76,\nmac80211_hwsim) to avoid double-free.\n\nDocument the skb ownership guarantee in the function's kdoc."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath9k/channel.c", "drivers/net/wireless/mediatek/mt76/scan.c", "drivers/net/wireless/virtual/mac80211_hwsim.c", "include/net/mac80211.h", "net/mac80211/tx.c"], "versions": [{"version": "06be6b149f7e406bcf16098567f5a6c9f042bced", "lessThan": "06e769dddcbeb3baf2ce346273b53dd61fdbecf4", "status": "affected", "versionType": "git"}, {"version": "06be6b149f7e406bcf16098567f5a6c9f042bced", "lessThan": "50f1b690b4868923fbd242298def2fb88662f108", "status": "affected", "versionType": "git"}, {"version": "06be6b149f7e406bcf16098567f5a6c9f042bced", "lessThan": "d5ad6ab61cbd89afdb60881f6274f74328af3ee9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/ath/ath9k/channel.c", "drivers/net/wireless/mediatek/mt76/scan.c", "drivers/net/wireless/virtual/mac80211_hwsim.c", "include/net/mac80211.h", "net/mac80211/tx.c"], "versions": [{"version": "3.13", "status": "affected"}, {"version": "0", "lessThan": "3.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.13", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4"}, {"url": "https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108"}, {"url": "https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9"}], "title": "wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure\n\nieee80211_tx_prepare_skb() has three error paths, but only two of them\nfree the skb. The first error path (ieee80211_tx_prepare() returning\nTX_DROP) does not free it, while invoke_tx_handlers() failure and the\nfragmentation check both do.\n\nAdd kfree_skb() to the first error path so all three are consistent,\nand remove the now-redundant frees in callers (ath9k, mt76,\nmac80211_hwsim) to avoid double-free.\n\nDocument the skb ownership guarantee in the function's kdoc."}], "id": "CVE-2026-23444", "lastModified": "2026-04-03T16:16:28.810", "metrics": {}, "published": "2026-04-03T16:16:28.810", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/06e769dddcbeb3baf2ce346273b53dd61fdbecf4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/50f1b690b4868923fbd242298def2fb88662f108"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d5ad6ab61cbd89afdb60881f6274f74328af3ee9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure", "id": "2454876", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454876"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1341", "details": ["A flaw was found in the Linux kernel's mac80211 Wi-Fi subsystem. This vulnerability occurs because a specific error path within the `ieee80211_tx_prepare_skb()` function fails to properly release a network buffer, known as a socket buffer (skb). This inconsistency can lead to a double-free condition, where the same memory is freed multiple times. A local attacker could exploit this to cause memory corruption, potentially leading to a system crash (Denial of Service) or, in more severe scenarios, the execution of unauthorized code."], "name": "CVE-2026-23444", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23444\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23444\nhttps://lore.kernel.org/linux-cve-announce/2026040314-CVE-2026-23444-8169@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[06be6b149f7e406bcf16098567f5a6c9f042bced,06e769dddcbeb3baf2ce346273b53dd61fdbecf4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[06be6b149f7e406bcf16098567f5a6c9f042bced,50f1b690b4868923fbd242298def2fb88662f108)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[06be6b149f7e406bcf16098567f5a6c9f042bced,d5ad6ab61cbd89afdb60881f6274f74328af3ee9)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:55:02.219375+00:00", "value": {"mitigation_remediation": ["Upgrade to a kernel version that includes the CVE-2026-23444 fix", "Verify that the kernel version after the update reflects the patched code", "Ensure that all embedded Wi\u2011Fi drivers are updated to the latest vendor release"], "summary": {"action": "Apply Patch", "impact": "Kernel memory corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernels that have not yet applied the fix are affected, including standard distributions that ship the default kernel for x86_64, ARM, and other architectures. The fix removes this problem from drivers such as ath9k, mt76, and mac80211_hwsim. Systems using older kernels that still contain the bug will remain vulnerable until an updated kernel is installed.", "description_and_impact": "The flaw resides in the Linux mac80211 Wi\u2011Fi stack where the transmit preparation routine fails to free a socket buffer consistently on error. When the first failure path is taken, the buffer is never released, leaving a dangling reference; other paths free the buffer twice. This inconsistency can corrupt kernel memory or crash the system. An attacker who can trigger the error route with crafted frames could potentially cause arbitrary code execution in kernel context.", "risk_and_exploitability": "No CVSS score or EPSS value is provided and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no known active exploits. Nevertheless, the bug involves kernel memory handling, so the risk is considered high if successfully exploited. The likely attack vector involves wireless traffic: an attacker would need to send specially crafted Wi\u2011Fi frames that trigger the transmit\u2011preparation error path, or potentially exploit a local user with privileges that can cause the driver to process frames."}}}}, "created": "2026-04-03T21:13:54.086110+00:00", "updated": "2026-04-03T21:16:07.302292+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-415"]}