CVE-2026-31779 - Vulnerability Details

- wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()

The memcpy function assumes the dynamic array notif->matches is at least
as large as the number of bytes to copy. Otherwise, results->matches may
contain unwanted data. To guarantee safety, extend the validation in one
of the checks to ensure sufficient packet length.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Published: 2026-05-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw was found in the iwl_mvm_nd_match_info_handler function of the iwlwifi driver. The memcpy call assumes that the dynamic array notif->matches is large enough for the number of bytes to be copied. If this assumption fails, the function copies data past the end of the array, causing an out-of-bounds read. The result is that sensitive kernel information may be exposed to an attacker, classifying the weakness under CWE-20: Improper Input Validation.

Affected Systems

The vulnerability affects Linux kernels that include the iwlwifi driver before the patch referenced by commits 744fabc… and ca0e949…. Any distribution that shipped a kernel prior to these commits is potentially vulnerable. The exact kernel version range is not listed in the advisory, but any kernel installing iwlwifi without the fix is at risk.

Risk and Exploitability

EPSS data is not available and the vulnerability is not listed in KEV, so the publicly reported exploitation probability is unknown. However, the flaw requires the delivery of crafted WiFi packets to a target machine, making the attack vector remote and dependent on wireless traffic control. While the attack may be complex, the read of kernel memory could expose confidential data, and the lack of mitigation outside the kernel suggests that patching remains the prudent course of action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5ac54afd4d97ad8d94fe250c83b1924eb6d2268c`	affected	< f6abac936a0dfd31d6c3e49205ec0ee75a8f887f
`5ac54afd4d97ad8d94fe250c83b1924eb6d2268c`	affected	< ffbed27ba15ef80d1c622eeedbfef03e501ae134
`5ac54afd4d97ad8d94fe250c83b1924eb6d2268c`	affected	< e67d8c626ace80b0fa2b48c8ec0a46b508c93442
`5ac54afd4d97ad8d94fe250c83b1924eb6d2268c`	affected	< dd90880eb5ec5442b37eb2b95688f4a63f4883e3
`5ac54afd4d97ad8d94fe250c83b1924eb6d2268c`	affected	< ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2
`5ac54afd4d97ad8d94fe250c83b1924eb6d2268c`	affected	< 744fabc338e87b95c4d1ff7c95bc8c0f834c6d99

Linux

affected

Version	Status	Constraints
`6.1`	affected	—
`0`	unaffected	< 6.1
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5ac54afd4d97ad8d94fe250c83b1924eb6d2268c,f6abac936a0dfd31d6c3e49205ec0ee75a8f887f)`	affected	code_commit	—
`[5ac54afd4d97ad8d94fe250c83b1924eb6d2268c,ffbed27ba15ef80d1c622eeedbfef03e501ae134)`	affected	code_commit	—
`[5ac54afd4d97ad8d94fe250c83b1924eb6d2268c,e67d8c626ace80b0fa2b48c8ec0a46b508c93442)`	affected	code_commit	—
`[5ac54afd4d97ad8d94fe250c83b1924eb6d2268c,dd90880eb5ec5442b37eb2b95688f4a63f4883e3)`	affected	code_commit	—
`[5ac54afd4d97ad8d94fe250c83b1924eb6d2268c,ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2)`	affected	code_commit	—
`[5ac54afd4d97ad8d94fe250c83b1924eb6d2268c,744fabc338e87b95c4d1ff7c95bc8c0f834c6d99)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.1`	affected	semver	—
`[0,6.1)`	unaffected	semver	—
`[6.1.0,6.2.0)`	unaffected	semver	—
`[6.6.0,6.7.0)`	unaffected	semver	—
`[6.12.0,6.13.0)`	unaffected	semver	—
`[6.18.0,6.19.0)`	unaffected	semver	—
`[6.19.0,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the iwlwifi mvm patch (e.g., a kernel including commit 744fabc or later).
If an immediate kernel upgrade is not feasible, disable the iwlwifi driver or restrict WiFi traffic to limit exposure to malicious packets.
Apply any vendor‑specific security updates or firmware updates for WiFi adapters that may address the issue.

Generated by OpenCVE AI on May 2, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/744fabc338e87b95c4d1ff7c95bc8c0f834c6d99
https://git.kernel.org/stable/c/ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2
https://git.kernel.org/stable/c/dd90880eb5ec5442b37eb2b95688f4a63f4883e3
https://git.kernel.org/stable/c/e67d8c626ace80b0fa2b48c8ec0a46b508c93442
https://git.kernel.org/stable/c/f6abac936a0dfd31d6c3e49205ec0ee75a8f887f
https://git.kernel.org/stable/c/ffbed27ba15ef80d1c622eeedbfef03e501ae134

History

Sat, 02 May 2026 07:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler() The memcpy function assumes the dynamic array notif->matches is at least as large as the number of bytes to copy. Otherwise, results->matches may contain unwanted data. To guarantee safety, extend the validation in one of the checks to ensure sufficient packet length. Found by Linux Verification Center (linuxtesting.org) with SVACE.
Title		wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/744fabc338e87b95c4d1ff7c95bc8c0f834c6d99 https://git.kernel.org/stable/c/ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2 https://git.kernel.org/stable/c/dd90880eb5ec5442b37eb2b95688f4a63f4883e3 https://git.kernel.org/stable/c/e67d8c626ace80b0fa2b48c8ec0a46b508c93442 https://git.kernel.org/stable/c/f6abac936a0dfd31d6c3e49205ec0ee75a8f887f https://git.kernel.org/stable/c/ffbed27ba15ef80d1c622eeedbfef03e501ae134

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:06.506Z

Updated: 2026-05-01T14:15:06.506Z

Reserved: 2026-03-09T15:48:24.140Z

Link: CVE-2026-31779

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:41.330

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31779

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T07:30:36Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object