CVE-2026-31780 - Vulnerability Details

- wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation

The variable valuesize is declared as u8 but accumulates the total
length of all SSIDs to scan. Each SSID contributes up to 33 bytes
(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)
SSIDs the total can reach 330, which wraps around to 74 when stored
in a u8.

This causes kmalloc to allocate only 75 bytes while the subsequent
memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte
heap buffer overflow.

Widen valuesize from u8 to u32 to accommodate the full range.

Published: 2026-05-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A cumulative integer wrap‑around in the WiLCoW1000 WiFi driver causes a heap buffer overflow during SSID scanning. The driver stores the total size of SSIDs to be scanned in a u8 field, but up to ten SSIDs can collectively require 330 bytes. The 8‑bit counter wraps to 74, leading kmalloc to allocate only 75 bytes while a later memcpy writes up to 331 bytes, overwriting 256 bytes of heap memory. This out‑of‑bounds write can corrupt heap structures, potentially allowing an attacker to execute arbitrary code or induce a system crash.

Affected Systems

The flaw exists in the wilc1000 driver bundled with the Linux kernel. Any Linux system that includes the module prior to the patch is vulnerable; the exact affected kernel release is not specified, so systems using the driver before the update are at risk.

Risk and Exploitability

No public CVSS or EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. The overflow is considerable and can lead to remote code execution or denial of service, requiring an attacker to trigger a scan, which can be achieved by manipulating the wireless interface locally or by creating a malicious wireless environment that forces the device to scan. The severity warrants fast remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c5c77ba18ea66aa05441c71e38473efb787705a4`	affected	< 34a23fd9ddd683a03c7e8cc0ceded3e59e354b99
`c5c77ba18ea66aa05441c71e38473efb787705a4`	affected	< 549f02d8ec94d39092ab6d9b103d0d6783a4b024
`c5c77ba18ea66aa05441c71e38473efb787705a4`	affected	< bfbddeadd4779651403035ee177ae2f22f9f5521
`c5c77ba18ea66aa05441c71e38473efb787705a4`	affected	< 9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7
`c5c77ba18ea66aa05441c71e38473efb787705a4`	affected	< c97b2a00059608592ad0d86fbb813a4f8cf9464b
`c5c77ba18ea66aa05441c71e38473efb787705a4`	affected	< d8388614de613c28eeb659c10115060a83739924
`c5c77ba18ea66aa05441c71e38473efb787705a4`	affected	< 0c7f21d8bd2f93998b72b7a7f93152336aeca4dd
`c5c77ba18ea66aa05441c71e38473efb787705a4`	affected	< d049e56b1739101d1c4d81deedb269c52a8dbba0

Linux

affected

Version	Status	Constraints
`4.2`	affected	—
`0`	unaffected	< 4.2
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c5c77ba18ea66aa05441c71e38473efb787705a4,34a23fd9ddd683a03c7e8cc0ceded3e59e354b99)`	affected	code_commit	—
`[c5c77ba18ea66aa05441c71e38473efb787705a4,549f02d8ec94d39092ab6d9b103d0d6783a4b024)`	affected	code_commit	—
`[c5c77ba18ea66aa05441c71e38473efb787705a4,bfbddeadd4779651403035ee177ae2f22f9f5521)`	affected	code_commit	—
`[c5c77ba18ea66aa05441c71e38473efb787705a4,9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7)`	affected	code_commit	—
`[c5c77ba18ea66aa05441c71e38473efb787705a4,c97b2a00059608592ad0d86fbb813a4f8cf9464b)`	affected	code_commit	—
`[c5c77ba18ea66aa05441c71e38473efb787705a4,d8388614de613c28eeb659c10115060a83739924)`	affected	code_commit	—
`[c5c77ba18ea66aa05441c71e38473efb787705a4,0c7f21d8bd2f93998b72b7a7f93152336aeca4dd)`	affected	code_commit	—
`[c5c77ba18ea66aa05441c71e38473efb787705a4,d049e56b1739101d1c4d81deedb269c52a8dbba0)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.2`	affected	semver	—
`[0,4.2)`	unaffected	semver	—
`[5.10.253,5.10.*]`	unaffected	semver	—
`[5.15.203,5.15.*]`	unaffected	semver	—
`[6.1.168,6.1.*]`	unaffected	semver	—
`[6.6.134,6.6.*]`	unaffected	semver	—
`[6.12.81,6.12.*]`	unaffected	semver	—
`[6.18.22,6.18.*]`	unaffected	semver	—
`[6.19.12,6.19.*]`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that incorporates the patch widening valuesize to u32
Restart the system to load the updated driver and ensure the fix is active
If no patch is currently available, disable the wilc1000 module or block SSID scanning to prevent the overflow condition
Check that the kernel configuration does not include the wilc1000 module if it is not required

Generated by OpenCVE AI on May 2, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0c7f21d8bd2f93998b72b7a7f93152336aeca4dd
https://git.kernel.org/stable/c/34a23fd9ddd683a03c7e8cc0ceded3e59e354b99
https://git.kernel.org/stable/c/549f02d8ec94d39092ab6d9b103d0d6783a4b024
https://git.kernel.org/stable/c/9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7
https://git.kernel.org/stable/c/bfbddeadd4779651403035ee177ae2f22f9f5521
https://git.kernel.org/stable/c/c97b2a00059608592ad0d86fbb813a4f8cf9464b
https://git.kernel.org/stable/c/d049e56b1739101d1c4d81deedb269c52a8dbba0
https://git.kernel.org/stable/c/d8388614de613c28eeb659c10115060a83739924

History

Sat, 02 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-680

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation The variable valuesize is declared as u8 but accumulates the total length of all SSIDs to scan. Each SSID contributes up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10) SSIDs the total can reach 330, which wraps around to 74 when stored in a u8. This causes kmalloc to allocate only 75 bytes while the subsequent memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte heap buffer overflow. Widen valuesize from u8 to u32 to accommodate the full range.
Title		wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c7f21d8bd2f93998b72b7a7f93152336aeca4dd https://git.kernel.org/stable/c/34a23fd9ddd683a03c7e8cc0ceded3e59e354b99 https://git.kernel.org/stable/c/549f02d8ec94d39092ab6d9b103d0d6783a4b024 https://git.kernel.org/stable/c/9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7 https://git.kernel.org/stable/c/bfbddeadd4779651403035ee177ae2f22f9f5521 https://git.kernel.org/stable/c/c97b2a00059608592ad0d86fbb813a4f8cf9464b https://git.kernel.org/stable/c/d049e56b1739101d1c4d81deedb269c52a8dbba0 https://git.kernel.org/stable/c/d8388614de613c28eeb659c10115060a83739924

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:07.253Z

Updated: 2026-05-01T14:15:07.253Z

Reserved: 2026-03-09T15:48:24.141Z

Link: CVE-2026-31780

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:41.453

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31780

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T10:30:40Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object