Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down

When the nl80211 socket that originated a PMSR request is
closed, cfg80211_release_pmsr() sets the request's nl_portid
to zero and schedules pmsr_free_wk to process the abort
asynchronously. If the interface is concurrently torn down
before that work runs, cfg80211_pmsr_wdev_down() calls
cfg80211_pmsr_process_abort() directly. However, the already-
scheduled pmsr_free_wk work item remains pending and may run
after the interface has been removed from the driver. This
could cause the driver's abort_pmsr callback to operate on a
torn-down interface, leading to undefined behavior and
potential crashes.

Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
before calling cfg80211_pmsr_process_abort(). This ensures any
pending or in-progress work is drained before interface teardown
proceeds, preventing the work from invoking the driver abort
callback after the interface is gone.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel crash leading to denial of service
Action: Patch immediately
AI Analysis

Impact

The vulnerability is a race condition (CWE‑366) in the Linux kernel’s cfg80211 wireless subsystem. When a nl80211 socket sends a PMSR request and later the socket is closed, the kernel schedules a delayed work item (pmsr_free_wk) to abort the request. If the wireless interface is torn down before that work runs, the abort callback may execute against a removed interface, leading to undefined behavior and often a kernel panic or crash. This can interrupt all system services that rely on the networking stack.

Affected Systems

The bug appears in Linux kernels that implement cfg80211, notably kernel 5.0 and all 7.0 release candidates (rc1–rc7). All distributions shipping unmodified kernels within those ranges are potentially vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity, while the EPSS score is below 1 %, implying a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. A local or privileged user can exploit it by sending PMSR requests and concurrently tearing down wireless interfaces; successful exploitation causes an undefined kernel failure that results in a denial‑of‑service condition for the entire system.

Generated by OpenCVE AI on April 28, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the patch for the cfg80211 PMSR scheduling bug.
  • If a kernel upgrade cannot be performed immediately, disable the PMSR feature or avoid tearing down wireless interfaces while PMSR requests are pending.
  • Monitor system logs for repeated kernel crashes involving wireless interface removal and apply relevant security updates as soon as they become available.

Generated by OpenCVE AI on April 28, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.0:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down When the nl80211 socket that originated a PMSR request is closed, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules pmsr_free_wk to process the abort asynchronously. If the interface is concurrently torn down before that work runs, cfg80211_pmsr_wdev_down() calls cfg80211_pmsr_process_abort() directly. However, the already- scheduled pmsr_free_wk work item remains pending and may run after the interface has been removed from the driver. This could cause the driver's abort_pmsr callback to operate on a torn-down interface, leading to undefined behavior and potential crashes. Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() before calling cfg80211_pmsr_process_abort(). This ensures any pending or in-progress work is drained before interface teardown proceeds, preventing the work from invoking the driver abort callback after the interface is gone.
Title wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:54.375Z

Reserved: 2026-03-09T15:48:24.114Z

Link: CVE-2026-31548

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:28.930

Modified: 2026-04-27T20:15:55.493

Link: CVE-2026-31548

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31548 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:30:06Z

Weaknesses