CVE-2026-31604 - Vulnerability Details

- wifi: rtw88: fix device leak on probe failure

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: fix device leak on probe failure

Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.

This driver takes a reference to the USB device during probe but does
not to release it on all probe errors (e.g. when descriptor parsing
fails).

Drop the redundant device reference to fix the leak, reduce cargo
culting, make it easier to spot drivers where an extra reference is
needed, and reduce the risk of further memory leaks.

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the rtw88 USB Wi‑Fi driver holds a reference to the USB device during probe but does not release it when probe errors occur, such as descriptor parsing failures. This results in a memory/resource leak that persists until the module is unloaded or the system is rebooted. The bug does not provide an attacker with code execution or direct confidentiality breach, but repeated leaks could weaken system stability or lead to a denial of service over an extended period.

Affected Systems

The vulnerability affects any Linux system that uses the rtw88 driver in the kernel. This is common on systems with Wi‑Fi hardware that relies on the rtw88 module; the impact applies to all kernel releases prior to the patch that removes the redundant reference.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1 % suggests a very low probability of exploitation observed in the field. The vulnerability is not listed in the CISA KEV catalog, reinforcing its lower priority relative to high‑profile exploits. Based on the description, the likely attack vector is a probe failure during driver initialization, which requires local/device-level interaction and is unlikely to lead to further escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a82dfd33d1237f6c0fb8a7077022189d1fc7ec98`	affected	< f632987306bce9242cdfcf911ee0b2c9455e05a3
`a82dfd33d1237f6c0fb8a7077022189d1fc7ec98`	affected	< a4f4371d194dfa5473cc961f86194084b1b13a69
`a82dfd33d1237f6c0fb8a7077022189d1fc7ec98`	affected	< 89a9c1bc7d797120bcc290864e0cb10a440a677f
`a82dfd33d1237f6c0fb8a7077022189d1fc7ec98`	affected	< af7307e96dad00bcc2675dac650d8558a52f2c6f
`a82dfd33d1237f6c0fb8a7077022189d1fc7ec98`	affected	< 25a827b7e1d5747a255bdc757f1d3e9e1e8a4e2a
`a82dfd33d1237f6c0fb8a7077022189d1fc7ec98`	affected	< bbb15e71156cd9f5e1869eee7207a06ea8e96c39

Linux

affected

Version	Status	Constraints
`6.2`	affected	—
`0`	unaffected	< 6.2
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a82dfd33d1237f6c0fb8a7077022189d1fc7ec98,f632987306bce9242cdfcf911ee0b2c9455e05a3]`	affected	code_commit	—
`[a82dfd33d1237f6c0fb8a7077022189d1fc7ec98,a4f4371d194dfa5473cc961f86194084b1b13a69]`	affected	code_commit	—
`[a82dfd33d1237f6c0fb8a7077022189d1fc7ec98,89a9c1bc7d797120bcc290864e0cb10a440a677f]`	affected	code_commit	—
`[a82dfd33d1237f6c0fb8a7077022189d1fc7ec98,af7307e96dad00bcc2675dac650d8558a52f2c6f]`	affected	code_commit	—
`[a82dfd33d1237f6c0fb8a7077022189d1fc7ec98,25a827b7e1d5747a255bdc757f1d3e9e1e8a4e2a]`	affected	code_commit	—
`[a82dfd33d1237f6c0fb8a7077022189d1fc7ec98,bbb15e71156cd9f5e1869eee7207a06ea8e96c39]`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.2`	affected	generic	—
`[0,6.2)`	unaffected	semver	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the rtw88 reference‑release patch, ensuring that the driver no longer retains USB device references on probe failures.
After the kernel upgrade, reboot the system to unload any pre‑existing instances of the rtw88 driver and flush the leaked resources.
If an immediate kernel update is not possible, temporarily blacklist the rtw88 module (e.g., add a blacklist entry or remove the driver from the initramfs) to prevent its loading until the kernel can be patched.

Generated by OpenCVE AI on April 29, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/25a827b7e1d5747a255bdc757f1d3e9e1e8a4e2a
https://git.kernel.org/stable/c/89a9c1bc7d797120bcc290864e0cb10a440a677f
https://git.kernel.org/stable/c/a4f4371d194dfa5473cc961f86194084b1b13a69
https://git.kernel.org/stable/c/af7307e96dad00bcc2675dac650d8558a52f2c6f
https://git.kernel.org/stable/c/bbb15e71156cd9f5e1869eee7207a06ea8e96c39
https://git.kernel.org/stable/c/f632987306bce9242cdfcf911ee0b2c9455e05a3
https://lore.kernel.org/linux-cve-announce/2026042419-CVE-2026-31604-cd65@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31604
https://www.cve.org/CVERecord?id=CVE-2026-31604

History

Wed, 29 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/f632987306bce9242cdfcf911ee0b2c9455e05a3

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/bbb15e71156cd9f5e1869eee7207a06ea8e96c39

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026042419-CVE-2026-31604-cd65@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31604 https://www.cve.org/CVERecord?id=CVE-2026-31604
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect. This driver takes a reference to the USB device during probe but does not to release it on all probe errors (e.g. when descriptor parsing fails). Drop the redundant device reference to fix the leak, reduce cargo culting, make it easier to spot drivers where an extra reference is needed, and reduce the risk of further memory leaks.
Title		wifi: rtw88: fix device leak on probe failure
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/25a827b7e1d5747a255bdc757f1d3e9e1e8a4e2a https://git.kernel.org/stable/c/89a9c1bc7d797120bcc290864e0cb10a440a677f https://git.kernel.org/stable/c/a4f4371d194dfa5473cc961f86194084b1b13a69 https://git.kernel.org/stable/c/af7307e96dad00bcc2675dac650d8558a52f2c6f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:27.342Z

Updated: 2026-05-11T22:12:00.312Z

Reserved: 2026-03-09T15:48:24.122Z

Link: CVE-2026-31604

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:39.627

Modified: 2026-04-29T19:21:26.807

Link: CVE-2026-31604

Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31604 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T21:45:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object