Login Sign Up

CVE-2026-23185

N/A Unknown

📋 TL;DR

A Linux kernel vulnerability in the iwlwifi driver where the mlo_scan_start_wk work queue is not properly canceled on disconnection, leading to potential use-after-free or initialization-after-queue issues. This affects systems using Intel Wi-Fi 6E (Gig+) and Wi-Fi 7 (BE) hardware with the iwlwifi driver. The vulnerability could allow local attackers to crash the system or potentially execute arbitrary code.

💻 Affected Systems

Products:
  • Linux kernel with iwlwifi driver
Versions: Linux kernel versions before the fix commits (specific versions depend on distribution backports)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Intel Wi-Fi 6E (AX210/AX211/AX411) or Wi-Fi 7 (BE200/BE202) hardware with MLO (Multi-Link Operation) enabled

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to kernel compromise and full system control

🟠

Likely Case

Kernel panic or system crash causing denial of service

🟢

If Mitigated

No impact if patched or workaround applied

🌐 Internet-Facing: LOW - Requires local access to exploit
🏢 Internal Only: MEDIUM - Local attackers on affected systems could cause crashes

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to trigger Wi-Fi disconnection scenarios

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel with commits 5ff641011ab7fb63ea101251087745d9826e8ef5 and 9b9f52f052f4953fecd2190ae2dde3aa76d10962

Vendor Advisory: https://git.kernel.org/stable/c/5ff641011ab7fb63ea101251087745d9826e8ef5

Restart Required: No

Instructions:

1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Rebuild kernel if compiling from source with the patches applied.

🔧 Temporary Workarounds

Disable MLO feature

all

Disable Multi-Link Operation feature in iwlwifi driver

echo "options iwlwifi disable_11ax=1" | sudo tee /etc/modprobe.d/iwlwifi-disable-mlo.conf
sudo modprobe -r iwlwifi
sudo modprobe iwlwifi

🧯 If You Can't Patch

  • Disable the affected Wi-Fi hardware and use alternative network interfaces
  • Implement strict access controls to prevent local users from triggering Wi-Fi disconnection events

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if iwlwifi module is loaded with MLO support: lsmod | grep iwlwifi && dmesg | grep -i mlo

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits: git log --oneline | grep -E "5ff641011ab7|9b9f52f052f4"

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages
  • iwlwifi driver crash in dmesg
  • Use-after-free or init-after-queue kernel warnings

Network Indicators:

  • Unexpected Wi-Fi disconnections followed by system instability

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "BUG") AND "iwlwifi"

📊 Metadata

CVE ID: CVE-2026-23185
CVSS v3 Score: N/A (Unknown)
Published: February 14, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON