Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
8DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push"), wl1271_tx_allocate() and with it wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. However, in wlcore_tx_work_locked(), a return value of -EAGAIN from wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being full. This causes the code to flush the buffer, put the skb back at the head of the queue, and immediately retry the same skb in a tight while loop.
Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens immediately with GFP_ATOMIC, this will result in an infinite loop and a CPU soft lockup. Return -ENOMEM instead so the packet is dropped and the loop terminates.
The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y.
AnalysisAI
Denial of service via CPU soft lockup in Linux kernel's wlcore Wi-Fi driver (versions 5.10 through 7.0) occurs when memory allocation fails during wireless frame transmission. Incorrect error code return (-EAGAIN instead of -ENOMEM) triggers infinite retry loop while holding critical mutex, causing system unresponsiveness. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). CVSS 7.5 (High) reflects network attack vector with no authentication required, though EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability exists in the Linux kernel's wlcore driver (TI wireless LAN chipset support) within the transmit path functions wl1271_tx_allocate() and wl1271_prepare_tx_frame(). The bug was introduced in commit e75665dd0968 which added headroom validation via pskb_expand_head() but incorrectly returned -EAGAIN on allocation failure. The wlcore_tx_work_locked() function misinterprets -EAGAIN as a signal that the aggregation buffer is full (a transient condition requiring retry), rather than a fatal memory allocation error. This semantic mismatch between error producer and consumer creates a tight infinite loop: the function holds wl->mutex, attempts the same SKB with GFP_ATOMIC allocation (which continues failing), and never releases the lock. The affected CPE identifiers (cpe:2.3:a:linux:linux) cover mainline and stable kernel trees from 5.10.x through 7.0, with specific vulnerable commit ranges documented in EUVD version tracking. The correct fix changes the return value to -ENOMEM, which causes packet drop and loop termination rather than infinite retry.
RemediationAI
Vendor-released patches are available for all affected stable kernel branches. Upgrade to patched versions: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or mainline 7.0+. Patch references and commits available at https://git.kernel.org/stable/ with specific fix commits listed in References section. For systems unable to immediately patch, the following compensating controls provide limited mitigation with noted trade-offs: (1) Disable the wlcore wireless driver via modprobe blacklist (add 'blacklist wlcore' to /etc/modprobe.d/blacklist.conf) - this prevents the vulnerable code path entirely but eliminates wireless functionality on affected hardware, requiring alternative network connectivity via Ethernet or external USB wireless adapters. (2) Implement memory pressure monitoring and proactive system restarts when available memory drops below operational thresholds - this reduces exploit window duration but does not prevent the vulnerability and introduces service interruption. (3) Deploy kernel watchdog timers with aggressive soft lockup detection thresholds to force system recovery - this limits DoS duration to watchdog timeout period (typically 20-60 seconds) but results in unclean reboots and potential data loss. These workarounds are inferior to patching and should only be temporary measures for systems in patch testing cycles or requiring change approval windows.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise High Availability Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Live Patching 15 SP7 | Fixed |
| SUSE Linux Enterprise Live Patching 15 SP7 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Legacy 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Legacy 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP7 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Real Time Module 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Live Patching 12 SP5 | Fixed |
| SUSE Linux Enterprise Live Patching 12 SP5 | Fixed |
| SUSE Linux Enterprise Live Patching 15 SP4 | Fixed |
| SUSE Linux Enterprise Live Patching 15 SP4 | Fixed |
| SUSE Linux Enterprise Live Patching 15 SP5 | Fixed |
| SUSE Linux Enterprise Live Patching 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE | Fixed |
| SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE | Fixed |
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE CaaS Platform 4.0 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Enterprise Storage 7 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise Desktop 11 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Micro 5.0 | Fixed |
| SUSE Linux Enterprise Micro 5.1 | Fixed |
| SUSE Linux Enterprise Micro 5.1 | Fixed |
| SUSE Linux Enterprise Micro 5.1 | Fixed |
| SUSE Linux Enterprise Micro 5.2 | Fixed |
| SUSE Linux Enterprise Micro 5.2 | Fixed |
| SUSE Linux Enterprise Micro 5.2 | Fixed |
| SUSE Linux Enterprise Micro 5.2 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP1 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP2 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for Public Cloud 15 SP6 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP2 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP5 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 11 SP4 | Fixed |
| SUSE Linux Enterprise Server 11 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP1 | Fixed |
| SUSE Linux Enterprise Server 15 SP1-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP2 | Fixed |
| SUSE Linux Enterprise Server 15 SP2-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3 | Fixed |
| SUSE Linux Enterprise Server 15 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy 4.0 | Fixed |
| SUSE Manager Proxy 4.1 | Fixed |
| SUSE Manager Proxy 4.2 | Fixed |
| SUSE Manager Retail Branch Server 4.0 | Fixed |
| SUSE Manager Retail Branch Server 4.1 | Fixed |
| SUSE Manager Retail Branch Server 4.2 | Fixed |
| SUSE Manager Server 4.0 | Fixed |
| SUSE Manager Server 4.1 | Fixed |
| SUSE Manager Server 4.2 | Fixed |
| SUSE OpenStack Cloud 9 | Fixed |
| SUSE OpenStack Cloud Crowbar 9 | Fixed |
| SUSE Real Time Module 15 SP3 | Fixed |
| SUSE Real Time Module 15 SP4 | Fixed |
| SUSE Real Time Module 15 SP5 | Fixed |
| SUSE Real Time Module 15 SP6 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25445
GHSA-f5xv-cjm8-337g