Skip to main content

Linux Kernel CVE-2026-31548

| EUVDEUVD-2026-25441 HIGH
2026-04-24 Linux GHSA-4288-373w-7jf8
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:15 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:28 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25441
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:33 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down

When the nl80211 socket that originated a PMSR request is closed, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules pmsr_free_wk to process the abort asynchronously. If the interface is concurrently torn down before that work runs, cfg80211_pmsr_wdev_down() calls cfg80211_pmsr_process_abort() directly. However, the already- scheduled pmsr_free_wk work item remains pending and may run after the interface has been removed from the driver. This could cause the driver's abort_pmsr callback to operate on a torn-down interface, leading to undefined behavior and potential crashes.

Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() before calling cfg80211_pmsr_process_abort(). This ensures any pending or in-progress work is drained before interface teardown proceeds, preventing the work from invoking the driver abort callback after the interface is gone.

AnalysisAI

Use-after-free race condition in Linux kernel Wi-Fi cfg80211 subsystem allows local authenticated users to trigger kernel crashes or potentially execute code. When a nl80211 socket closes while a peer measurement (PMSR) request is active, concurrent interface teardown can leave a scheduled work item (pmsr_free_wk) that later invokes the driver's abort callback on already-freed interface structures. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild. Patches available across all supported kernel branches since commit 9bb7e0f24e7e (introduced in Linux 5.0), with fixes released in stable versions 6.1.167, 6.6.130, 6.12.78, 6.18.20, and 6.19.10.

Technical ContextAI

The cfg80211 wireless configuration subsystem in the Linux kernel manages peer measurement (PMSR) requests initiated via nl80211 netlink sockets. When a socket closes, the kernel schedules asynchronous cleanup via a work queue (pmsr_free_wk). The vulnerability arises from a classic time-of-check-to-time-of-use (TOCTOU) race: if the wireless interface is torn down (via cfg80211_pmsr_wdev_down) before the scheduled work executes, the work item persists and later attempts to call the driver's abort_pmsr callback on a freed wireless device structure. This creates a use-after-free condition in kernel memory. The affected code path involves interaction between the wireless stack's netlink interface, work queue scheduling, and driver-specific callbacks, making it specific to systems with Wi-Fi hardware using the cfg80211 framework. The CPE strings indicate broad applicability across the Linux kernel ecosystem from version 5.0 onward, affecting all distributions running these kernel versions.

RemediationAI

Primary remediation is upgrading to patched kernel versions: 6.1.167+ for LTS 6.1 branch, 6.6.130+ for LTS 6.6, 6.12.78+ for 6.12 stable, 6.18.20+ for 6.18, 6.19.10+ for 6.19, or mainline 7.0+. Patches available at https://git.kernel.org/stable/ with branch-specific commits: 28d3551f8d8c (mainline), 37e776e2e0a5 (6.19), d32c07ef1880 (6.18), a1b7a843f12a (6.12), 72b7ea786b8e (6.6), 6dccbc9f3e1d (6.1). Organizations unable to immediately patch can implement compensating controls with significant usability trade-offs: disable Wi-Fi peer measurement functionality via modprobe blacklisting of cfg80211 PMSR features (requires recompilation or runtime parameter modification), restrict local user access to nl80211 netlink sockets via SELinux/AppArmor policies (breaks legitimate Wi-Fi management tools), or disable Wi-Fi interfaces entirely on affected systems (eliminates wireless connectivity). These workarounds reduce functionality and should be temporary-kernel patching remains the definitive solution. Enterprise patch management systems should prioritize deployment within normal maintenance windows rather than emergency out-of-band updates given low EPSS risk.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31548 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy