Bug 2492303 (CVE-2026-53112) - CVE-2026-53112 kernel: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
Summary: CVE-2026-53112 kernel: wifi: rtlwifi: pci: fix possible use-after-free caused...
Keywords:
Status: NEW
Alias: CVE-2026-53112
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 18:04 UTC by OSIDB Bzimport
Modified: 2026-06-25 17:57 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:04:32 UTC 
In the Linux kernel, the following vulnerability has been resolved:

wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet

The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
But it is never killed in rtl_pci_deinit(). When the rtlwifi card
probe fails or is being detached, the ieee80211_hw is deallocated.
However, irq_prepare_bcn_tasklet may still be running or pending,
leading to use-after-free when the freed ieee80211_hw is accessed
in _rtl_pci_prepare_bcn_tasklet().

Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
ensure that irq_prepare_bcn_tasklet is properly terminated before
the ieee80211_hw is released.

The issue was identified through static analysis.
Comment 1 Keith Grant 2026-06-25 17:55:02 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062414-CVE-2026-53112-ca3f@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.