In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: fix use-after-free in mwifiexadaptercleanup()
The mwifiexadaptercleanup() function uses timerdelete() (non-synchronous) for the wakeuptimer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete.
If the wakeuptimer callback (wakeuptimerfn) is executing when mwifiexadaptercleanup() is called, the callback will continue to access adapter fields (adapter->hwstatus, adapter->ifops.cardreset, etc.) which may be freed by mwifiexfreeadapter() called later in the mwifiexremovecard() path.
Use timerdeletesync() instead to ensure any running timer callback has completed before returning.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46069.json",
"cna_assigner": "Linux"
}