Skip to main content

Linux Kernel CVE-2026-31780

| EUVDEUVD-2026-26593 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:32 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26593
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation

The variable valuesize is declared as u8 but accumulates the total length of all SSIDs to scan. Each SSID contributes up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10) SSIDs the total can reach 330, which wraps around to 74 when stored in a u8.

This causes kmalloc to allocate only 75 bytes while the subsequent memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte heap buffer overflow.

Widen valuesize from u8 to u32 to accommodate the full range.

AnalysisAI

A heap buffer overflow in the Linux kernel's wilc1000 WiFi driver allows local authenticated users to trigger memory corruption via crafted SSID scan requests. The driver miscalculates buffer size due to u8 integer overflow (330 bytes wrapping to 74), causing kmalloc to allocate 75 bytes while memcpy writes up to 331 bytes - a 256-byte overflow. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.03% (9th percentile) suggests low likelihood of widespread exploitation, and CISA KEV does not list this CVE, indicating no confirmed active exploitation at time of analysis.

Technical ContextAI

The wilc1000 WiFi driver in the Linux kernel contains a classic integer overflow vulnerability in SSID scan buffer allocation logic. The code uses a u8 variable (valuesize) to accumulate total length across multiple SSIDs, where each SSID can be up to IEEE80211_MAX_SSID_LEN (32 bytes) plus 1 byte for length field. With WILC_MAX_NUM_PROBED_SSID set to 10, the theoretical maximum is 330 bytes. Since u8 can only represent 0-255, arithmetic overflow wraps 330 to 74. This causes a type/size mismatch between the kmalloc allocation (75 bytes based on wrapped value) and subsequent memcpy operations (up to 331 bytes of actual data), creating a heap buffer overflow condition. The fix widens valuesize from u8 to u32 to accommodate the full range without overflow. The vulnerability affects the wilc1000 wireless chipset driver introduced in commit c5c77ba18ea6 and is present in kernels from version 4.2 onward until patched.

RemediationAI

Update to patched Linux kernel versions appropriate for your deployed branch: 5.10.253+ for 5.10.x series, 5.15.203+ for 5.15.x, 6.1.168+ for 6.1.x, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+ for mainline. Patch commits are available at https://git.kernel.org/stable/ with commit hashes listed in references section. Organizations unable to immediately patch should assess if wilc1000 WiFi hardware is present in their environment (check lsmod for wilc1000_sdio or wilc1000_spi modules, or dmesg for wilc1000 references). If the driver is not loaded or hardware not present, the attack surface does not exist. As a temporary compensating control, the wilc1000 driver module can be blacklisted to prevent loading (add 'blacklist wilc1000_sdio' and 'blacklist wilc1000_spi' to /etc/modprobe.d/blacklist.conf), though this disables WiFi functionality for affected hardware. No runtime sysctl or configuration-based workaround exists to mitigate the overflow without patching. For embedded systems with wilc1000 chipsets where kernel updates are complex, consider network segmentation to limit local access by untrusted users, though this only reduces attack surface rather than eliminating the vulnerability.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy