Description
In the Linux kernel, the following vulnerability has been resolved:

wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation

The variable valuesize is declared as u8 but accumulates the total
length of all SSIDs to scan. Each SSID contributes up to 33 bytes
(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)
SSIDs the total can reach 330, which wraps around to 74 when stored
in a u8.

This causes kmalloc to allocate only 75 bytes while the subsequent
memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte
heap buffer overflow.

Widen valuesize from u8 to u32 to accommodate the full range.
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an unsigned 8‑bit integer overflow in the Wilc1000 Wi‑Fi driver. The driver accumulates the total size of SSIDs it scans in a variable declared as u8, which can hold values up to 255. Ten SSIDs of up to 33 bytes each require 330 bytes, causing the counter to wrap to 74. Consequently, kmalloc allocates only 75 bytes, while a later memcpy writes up to 331 bytes into the buffer, corrupting 256 bytes of heap memory. This overflow can compromise memory integrity and potentially allow arbitrary code execution or denial of service.

Affected Systems

The flaw exists in the Wilc1000 driver shipped with the Linux kernel. Because specific kernel version numbers are not given, any system that loads the unpatched module is susceptible. This includes all Linux deployments with the Wilc1000 hardware driver active before the upstream fix is integrated.

Risk and Exploitability

The reported CVSS score of 7.8 indicates a high severity. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation likelihood. Based on the description, it is inferred that triggering a Wi‑Fi scan can lead to the overflow, which may occur locally via user actions or by positioning a malicious access point that forces the device to scan. Because the overflow undermines heap state, a successful exploit could lead to arbitrary code execution or system crash.

Generated by OpenCVE AI on May 11, 2026 at 23:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel that includes the patch widening valuesize to u32
  • If a newer kernel is not available, disable or unload the wilc1000 module to eliminate the overflow risk
  • As an interim workaround, stop Wi‑Fi scanning or restrict scanning to known SSIDs to avoid triggering the overflow condition
  • Consider rebuilding the kernel without the wilc1000 driver if the hardware is not required

Generated by OpenCVE AI on May 11, 2026 at 23:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-680

Sat, 02 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References

Sat, 02 May 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-680

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation The variable valuesize is declared as u8 but accumulates the total length of all SSIDs to scan. Each SSID contributes up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10) SSIDs the total can reach 330, which wraps around to 74 when stored in a u8. This causes kmalloc to allocate only 75 bytes while the subsequent memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte heap buffer overflow. Widen valuesize from u8 to u32 to accommodate the full range.
Title wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:40.155Z

Reserved: 2026-03-09T15:48:24.141Z

Link: CVE-2026-31780

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:41.453

Modified: 2026-05-11T20:54:09.280

Link: CVE-2026-31780

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31780 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:45:03Z

Weaknesses