Skip to main content

Linux Kernel wlcore EUVDEUVD-2026-25445

| CVE-2026-31552 HIGH
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-04-24 Linux GHSA-f5xv-cjm8-337g
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:15 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:28 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25445
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:33 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom

Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push"), wl1271_tx_allocate() and with it wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. However, in wlcore_tx_work_locked(), a return value of -EAGAIN from wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being full. This causes the code to flush the buffer, put the skb back at the head of the queue, and immediately retry the same skb in a tight while loop.

Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens immediately with GFP_ATOMIC, this will result in an infinite loop and a CPU soft lockup. Return -ENOMEM instead so the packet is dropped and the loop terminates.

The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y.

AnalysisAI

Denial of service via CPU soft lockup in Linux kernel's wlcore Wi-Fi driver (versions 5.10 through 7.0) occurs when memory allocation fails during wireless frame transmission. Incorrect error code return (-EAGAIN instead of -ENOMEM) triggers infinite retry loop while holding critical mutex, causing system unresponsiveness. Vendor-released patches available across all affected stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). CVSS 7.5 (High) reflects network attack vector with no authentication required, though EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability exists in the Linux kernel's wlcore driver (TI wireless LAN chipset support) within the transmit path functions wl1271_tx_allocate() and wl1271_prepare_tx_frame(). The bug was introduced in commit e75665dd0968 which added headroom validation via pskb_expand_head() but incorrectly returned -EAGAIN on allocation failure. The wlcore_tx_work_locked() function misinterprets -EAGAIN as a signal that the aggregation buffer is full (a transient condition requiring retry), rather than a fatal memory allocation error. This semantic mismatch between error producer and consumer creates a tight infinite loop: the function holds wl->mutex, attempts the same SKB with GFP_ATOMIC allocation (which continues failing), and never releases the lock. The affected CPE identifiers (cpe:2.3:a:linux:linux) cover mainline and stable kernel trees from 5.10.x through 7.0, with specific vulnerable commit ranges documented in EUVD version tracking. The correct fix changes the return value to -ENOMEM, which causes packet drop and loop termination rather than infinite retry.

RemediationAI

Vendor-released patches are available for all affected stable kernel branches. Upgrade to patched versions: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.20+, 6.19.10+, or mainline 7.0+. Patch references and commits available at https://git.kernel.org/stable/ with specific fix commits listed in References section. For systems unable to immediately patch, the following compensating controls provide limited mitigation with noted trade-offs: (1) Disable the wlcore wireless driver via modprobe blacklist (add 'blacklist wlcore' to /etc/modprobe.d/blacklist.conf) - this prevents the vulnerable code path entirely but eliminates wireless functionality on affected hardware, requiring alternative network connectivity via Ethernet or external USB wireless adapters. (2) Implement memory pressure monitoring and proactive system restarts when available memory drops below operational thresholds - this reduces exploit window duration but does not prevent the vulnerability and introduces service interruption. (3) Deploy kernel watchdog timers with aggressive soft lockup detection thresholds to force system recovery - this limits DoS duration to watchdog timeout period (typically 20-60 seconds) but results in unclean reboots and potential data loss. These workarounds are inferior to patching and should only be temporary measures for systems in patch testing cycles or requiring change approval windows.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy