CVE-2026-31552 - Vulnerability Details

- wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom

Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
before skb_push"), wl1271_tx_allocate() and with it
wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
full. This causes the code to flush the buffer, put the skb back at the
head of the queue, and immediately retry the same skb in a tight while
loop.

Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
immediately with GFP_ATOMIC, this will result in an infinite loop and a
CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
the loop terminates.

The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.

Published: 2026-04-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux wireless driver wlcore: when a transmit packet fails to allocate sufficient headroom, the driver mistakenly interprets the failure as a full aggregation buffer. The code then enters a tight retry loop while holding wl->mutex and using atomic allocation, resulting in an infinite CPU‑tight loop and a soft lockup of the kernel. The primary effect is a denial of service that can degrade system responsiveness and stability. The weakness is a classic infinite loop (CWE‑835).

Affected Systems

This issue affects the Linux kernel for versions 6.19 and the 7.0 release candidates 1 through 7. The patch that fixes the bug is present in later revisions of the 6.18.y backport series and is expected to be merged into the mainline.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered moderately high severity, yet its EPSS score is less than 1% and it is not listed in the CISA KEV catalog, indicating low prior exploitation activity. The likely attack vector is the reception of wireless traffic that triggers a failure in headroom allocation; while the description does not state explicit prerequisites, it can be inferred that an attacker can potentially craft traffic to induce the failure without special privileges, resulting in the infinite loop. Cloud or local Wi‑Fi‑enabled systems remain at risk until the patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`88295a55fefe5414e64293638b6f7549646e58ed`	affected	< 980f793645540ca7a6318165cc12f49d5febeb99
`cd89a4656c03f8db0c57350aaec69cd3cfaa3522`	affected	< 12f9eef39e49716c763714bfda835a733d5f6dea
`745a0810dbc96a0471e5f5e627ba1e978c3116d4`	affected	< ceb46b40b021d21911ff8608ce4ed33c1264ad2f
`b167312390fdd461c81ead516f2b0b44e83a9edb`	affected	< a6dc74209462c4fe5a88718d2f3a5286886081c8
`71de0b6e04bbee5575caf9a1e4d424e7dcc50018`	affected	< cfa64e2b3717be1da7c4c1aff7268a009e8c1610
`689a7980e4788e13e766763d53569fb78dea2513`	affected	< 46c670ff1ff466e5eccb3940f726586473dc053c
`e75665dd096819b1184087ba5718bd93beafff51`	affected	< f2c06d718a7b85cbc59ceaa2ff3f46b178ac709c
`e75665dd096819b1184087ba5718bd93beafff51`	affected	< deb353d9bb009638b7762cae2d0b6e8fdbb41a69
`5.10.250`	affected	< 5.10.253
`5.15.200`	affected	< 5.15.203
`6.1.163`	affected	< 6.1.167
`6.6.124`	affected	< 6.6.130
`6.12.70`	affected	< 6.12.78
`6.18.10`	affected	< 6.18.20

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[88295a55fefe5414e64293638b6f7549646e58ed,980f793645540ca7a6318165cc12f49d5febeb99)`	affected	code_commit	—
`[cd89a4656c03f8db0c57350aaec69cd3cfaa3522,12f9eef39e49716c763714bfda835a733d5f6dea)`	affected	code_commit	—
`[745a0810dbc96a0471e5f5e627ba1e978c3116d4,ceb46b40b021d21911ff8608ce4ed33c1264ad2f)`	affected	code_commit	—
`[b167312390fdd461c81ead516f2b0b44e83a9edb,a6dc74209462c4fe5a88718d2f3a5286886081c8)`	affected	code_commit	—
`[71de0b6e04bbee5575caf9a1e4d424e7dcc50018,cfa64e2b3717be1da7c4c1aff7268a009e8c1610)`	affected	code_commit	—
`[689a7980e4788e13e766763d53569fb78dea2513,46c670ff1ff466e5eccb3940f726586473dc053c)`	affected	code_commit	—
`[e75665dd096819b1184087ba5718bd93beafff51,f2c06d718a7b85cbc59ceaa2ff3f46b178ac709c)`	affected	code_commit	—
`[e75665dd096819b1184087ba5718bd93beafff51,deb353d9bb009638b7762cae2d0b6e8fdbb41a69)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	semver	—
`[0,6.19)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the fix which returns -ENOMEM instead of -EAGAIN when headroom is insufficient
If a kernel update is not immediately possible, quarantine the affected Wi‑Fi adapter or limit traffic to prevent the allocation failure from occurring
Monitor the system for signs of CPU soft lockup and reboot promptly should the driver enter a lockup state

Generated by OpenCVE AI on April 28, 2026 at 06:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DLA	DLA-4606-1	linux security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00074.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/12f9eef39e49716c763714bfda835a733d5f6dea
https://git.kernel.org/stable/c/46c670ff1ff466e5eccb3940f726586473dc053c
https://git.kernel.org/stable/c/980f793645540ca7a6318165cc12f49d5febeb99
https://git.kernel.org/stable/c/a6dc74209462c4fe5a88718d2f3a5286886081c8
https://git.kernel.org/stable/c/ceb46b40b021d21911ff8608ce4ed33c1264ad2f
https://git.kernel.org/stable/c/cfa64e2b3717be1da7c4c1aff7268a009e8c1610
https://git.kernel.org/stable/c/deb353d9bb009638b7762cae2d0b6e8fdbb41a69
https://git.kernel.org/stable/c/f2c06d718a7b85cbc59ceaa2ff3f46b178ac709c
https://lore.kernel.org/linux-cve-announce/2026042427-CVE-2026-31552-505c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31552
https://www.cve.org/CVERecord?id=CVE-2026-31552

History

Mon, 27 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-835
References		https://lore.kernel.org/linux-cve-announce/2026042427-CVE-2026-31552-505c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31552 https://www.cve.org/CVERecord?id=CVE-2026-31552
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push"), wl1271_tx_allocate() and with it wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails. However, in wlcore_tx_work_locked(), a return value of -EAGAIN from wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being full. This causes the code to flush the buffer, put the skb back at the head of the queue, and immediately retry the same skb in a tight while loop. Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens immediately with GFP_ATOMIC, this will result in an infinite loop and a CPU soft lockup. Return -ENOMEM instead so the packet is dropped and the loop terminates. The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y.
Title		wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/12f9eef39e49716c763714bfda835a733d5f6dea https://git.kernel.org/stable/c/46c670ff1ff466e5eccb3940f726586473dc053c https://git.kernel.org/stable/c/980f793645540ca7a6318165cc12f49d5febeb99 https://git.kernel.org/stable/c/a6dc74209462c4fe5a88718d2f3a5286886081c8 https://git.kernel.org/stable/c/ceb46b40b021d21911ff8608ce4ed33c1264ad2f https://git.kernel.org/stable/c/cfa64e2b3717be1da7c4c1aff7268a009e8c1610 https://git.kernel.org/stable/c/deb353d9bb009638b7762cae2d0b6e8fdbb41a69 https://git.kernel.org/stable/c/f2c06d718a7b85cbc59ceaa2ff3f46b178ac709c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:33:19.065Z

Updated: 2026-05-23T16:05:18.617Z

Reserved: 2026-03-09T15:48:24.115Z

Link: CVE-2026-31552

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:29.497

Modified: 2026-04-27T20:15:16.820

Link: CVE-2026-31552

Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31552 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T06:45:24Z

Weaknesses

CWE-835

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object