CVE-2026-23444 PUBLISHED

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

Assigner: Linux
Reserved: 13.01.2026 Published: 03.04.2026 Updated: 03.04.2026

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do.

Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free.

Document the skb ownership guarantee in the function's kdoc.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 06be6b149f7e406bcf16098567f5a6c9f042bced to 06e769dddcbeb3baf2ce346273b53dd61fdbecf4 (excl.)
  • affected from 06be6b149f7e406bcf16098567f5a6c9f042bced to 50f1b690b4868923fbd242298def2fb88662f108 (excl.)
  • affected from 06be6b149f7e406bcf16098567f5a6c9f042bced to d5ad6ab61cbd89afdb60881f6274f74328af3ee9 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 3.13 is affected
  • unaffected from 0 to 3.13 (excl.)
  • unaffected from 6.18.20 to 6.18.* (incl.)
  • unaffected from 6.19.10 to 6.19.* (incl.)
  • unaffected from 7.0-rc5 to * (incl.)

References