Skip to main content

Linux Kernel iwlwifi EUVDEUVD-2026-26592

| CVE-2026-31779 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:32 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.1 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26592
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 8.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()

The memcpy function assumes the dynamic array notif->matches is at least as large as the number of bytes to copy. Otherwise, results->matches may contain unwanted data. To guarantee safety, extend the validation in one of the checks to ensure sufficient packet length.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

AnalysisAI

Out-of-bounds read in Linux kernel iwlwifi driver allows adjacent network attackers to disclose sensitive kernel memory or trigger denial of service without authentication. The vulnerability affects the iwlwifi wireless driver's network detection match handler function, where insufficient packet length validation enables memcpy to read beyond allocated buffer boundaries. EPSS probability is low (0.02%, 7th percentile) and no active exploitation confirmed (not in CISA KEV). Vendor patches available across multiple kernel stable branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).

Technical ContextAI

This vulnerability resides in the iwlwifi module, Intel's wireless driver for Linux kernel WiFi chipsets. The iwl_mvm_nd_match_info_handler() function processes network detection match notifications from firmware. The flaw occurs when memcpy blindly copies data from notif->matches dynamic array into results->matches without validating that the packet length accommodates the requested copy size. This is a classic unbounded read scenario where the kernel trusts firmware-provided packet structures without sufficient size validation. The CWE is not specified but aligns with CWE-125 (Out-of-bounds Read). The vulnerable code path was introduced in commit 5ac54afd4d97ad8d94fe250c83b1924eb6d2268c and affects kernel versions from 6.1 through 7.0-rc releases. CPE strings identify the Linux kernel broadly; affected component is specifically the iwlwifi/mvm driver module.

RemediationAI

Apply vendor-released kernel updates to the following fixed versions based on your kernel series: 6.1.168 or later for 6.1.x series, 6.6.134 or later for 6.6.x, 6.12.81 or later for 6.12.x, 6.18.22 or later for 6.18.x, 6.19.12 or later for 6.19.x, or 7.0 final release for 7.0-rc users. Patch commits are available at git.kernel.org/stable URLs listed in references. For systems unable to immediately patch, compensating controls include disabling the iwlwifi module if wireless functionality is not required (modprobe blacklist iwlwifi), restricting wireless network associations to fully trusted SSIDs only via network-manager or wpa_supplicant configuration (prevents adjacent attacker positioning), or migrating affected workloads to wired network interfaces. Note that disabling iwlwifi eliminates wireless connectivity entirely; SSID restrictions reduce but do not eliminate risk if attackers can access trusted networks. Kernel live-patching services (kpatch, kGraft) may provide hotfix options for production systems requiring zero-downtime remediation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26592 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy