CVE-2026-23281

In the Linux kernel, the following vulnerability has been resolved:

wifi: libertas: fix use-after-free in lbsfreeadapter()

The lbsfreeadapter() function uses timerdelete() (non-synchronous) for both commandtimer and txlockuptimer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete.

If a timer callback is executing when lbsfreeadapter() is called, the callback will access freed memory since lbscfgfree() frees the containing structure immediately after lbsfreeadapter() returns.

Both timer callbacks (lbscmdtimeouthandler and lbstxlockuphandler) access priv->driverlock, priv->curcmd, priv->dev, and other fields, which would all be use-after-free violations.

Use timerdeletesync() instead to ensure any running timer callback has completed before returning.

This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where deltimer() was used instead of deltimersync() in the cleanup path. The commandtimer has had the same issue since the driver was first written.