wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down_CVE-2026-31548

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down

When the nl80211 socket that originated a PMSR request is
closed, cfg80211_release_pmsr() sets the request's nl_portid
to zero and schedules pmsr_free_wk to process the abort
asynchronously. If the interface is concurrently torn down
before that work runs, cfg80211_pmsr_wdev_down() calls
cfg80211_pmsr_process_abort() directly. However, the already-
scheduled pmsr_free_wk work item remains pending and may run
after the interface has been removed from the driver. This
could cause the driver's abort_pmsr callback to operate on a
torn-down interface, leading to undefined behavior and
potential crashes.

Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
before calling cfg80211_pmsr_process_abort(). This ensures any
pending or in-progress work is drained before interface teardown
proceeds, preventing the work from invoking the driver abort
callback after the interface is gone.

Basic Information

ID CVE-2026-31548

Source Linux

Published Apr 24, 2026 at 14:33

Modified Apr 27, 2026 at 14:03

Affected Product

Vendor Linux

Product Linux

Version 9bb7e0f24e7e7d00daa1219b14539e2e602649b2

Affected Versions Linux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2
Linux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2
Linux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2
Linux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2
Linux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2
Linux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2
Linux Linux 5.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down\n\nWhen the nl80211 socket that originated a PMSR request is\nclosed, cfg80211_release_pmsr() sets the request's nl_portid\nto zero and schedules pmsr_free_wk to process the abort\nasynchronously. If the interface is concurrently torn down\nbefore that work runs, cfg80211_pmsr_wdev_down() calls\ncfg80211_pmsr_process_abort() directly. However, the already-\nscheduled pmsr_free_wk work item remains pending and may run\nafter the interface has been removed from the driver. This\ncould cause the driver's abort_pmsr callback to operate on a\ntorn-down interface, leading to undefined behavior and\npotential crashes.\n\nCancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()\nbefore calling cfg80211_pmsr_process_abort(). This ensures any\npending or in-progress work is drained before interface teardown\nproceeds, preventing the work from invoking the driver abort\ncallback after the interface is gone.",
    "published": "2026-04-24T14:33:16.021Z",
    "modified": "2026-04-27T14:03:59.189Z",
    "type": "cve",
    "title": "wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/28d3551f8d8cb3aec7497894d94150fe84d20e5e\nhttps://git.kernel.org/stable/c/37e776e2e0a523731e2470dce6d563f0e8632a40\nhttps://git.kernel.org/stable/c/d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa\nhttps://git.kernel.org/stable/c/a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf\nhttps://git.kernel.org/stable/c/72b7ea786b8e570ae11149e9089859a4a8634a13\nhttps://git.kernel.org/stable/c/6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09",
    "id": "CVE-2026-31548",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2\nLinux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2\nLinux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2\nLinux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2\nLinux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2\nLinux Linux 9bb7e0f24e7e7d00daa1219b14539e2e602649b2\nLinux Linux 5.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "9bb7e0f24e7e7d00daa1219b14539e2e602649b2",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply