—

CVE-2026-23444EXPLOITEDPATCHED

linux · linux kernel

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc.

Affected Products

Vendor	Product	Versions
linux	linux kernel	06be6b149f7e406bcf16098567f5a6c9f042bced, 06be6b149f7e406bcf16098567f5a6c9f042bced, 06be6b149f7e406bcf16098567f5a6c9f042bced, 3.13, 6.18.20, 6.19.10, 7.0-rc5, 6.18.19, 6.19.9, 7.0-rc4

References

Related News (2 articles)

Tier C

VulDB3h ago

CVE-2026-23444 | Linux Kernel up to 6.18.19/6.19.9/7.0-rc4 wifi ieee80211_tx_prepare_skb double free

→ No new info (linked only)

Tier C

Linux Kernel CVEs3h ago

CVE-2026-23444: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

06e769dddcbeb3baf2ce346273b53dd61fdbecf450f1b690b4868923fbd242298def2fb88662f108d5ad6ab61cbd89afdb60881f6274f74328af3ee906.18.206.19.107.0-rc5

PublishedApr 3, 2026

Last enriched2h agov3

Trending Score61

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, cwe, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-31393EXP

Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access

Trending: 61

CRITICALCVE-2026-31397EXP

mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd()

Trending: 61

CRITICALCVE-2026-23463EXP

soc: fsl: qbman: fix race condition in qman_destroy_fq

Trending: 61

CRITICALCVE-2026-23472EXP

serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN

Trending: 61

CRITICALCVE-2026-23467EXP

drm/i915/dmc: Fix an unlikely NULL pointer deference at probe

Trending: 61

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Actively Exploited

Apr 3, 2026

Exploit Available

Apr 3, 2026

Patch Available

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: description, affectedVersions, severity, exploitAvailable, activelyExploited

Apr 3, 2026

Updated: severity, affectedVersions

Apr 3, 2026

Version History

Last enriched 2h ago

v3Tier C2h ago

Updated severity to CRITICAL, added new affected versions, and noted no available exploit.

severityaffectedVersions

via VulDB

v2Tier C2h ago

Updated description with more technical detail, added affected versions 6.18.20, 6.19.10, and 7.0-rc5, changed severity to HIGH, and marked exploit availability and active exploitation as true.

descriptionaffectedVersionsseverityexploitAvailableactivelyExploited

via Linux Kernel CVEs

v13h ago

Initial creation