wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free_CVE-2026-31695

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free

Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for
the virt_wifi net devices. However, unregistering a virt_wifi device in
netdev_run_todo() can happen together with the device referenced by
SET_NETDEV_DEV().

It can result in use-after-free during the ethtool operations performed
on a virt_wifi device that is currently being unregistered. Such a net
device can have the `dev.parent` field pointing to the freed memory,
but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.

Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:

==================================================================
BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0
Read of size 2 at addr ffff88810cfc46f8 by task pm/606

Call Trace:
<TASK>
dump_stack_lvl+0x4d/0x70
print_report+0x170/0x4f3
? __pfx__raw_spin_lock_irqsave+0x10/0x10
kasan_report+0xda/0x110
? __pm_runtime_resume+0xe2/0xf0
? __pm_runtime_resume+0xe2/0xf0
__pm_runtime_resume+0xe2/0xf0
ethnl_ops_begin+0x49/0x270
ethnl_set_features+0x23c/0xab0
? __pfx_ethnl_set_features+0x10/0x10
? kvm_sched_clock_read+0x11/0x20
? local_clock_noinstr+0xf/0xf0
? local_clock+0x10/0x30
? kasan_save_track+0x25/0x60
? __kasan_kmalloc+0x7f/0x90
? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0
genl_family_rcv_msg_doit+0x1e7/0x2c0
? __pfx_genl_family_rcv_msg_doit+0x10/0x10
? __pfx_cred_has_capability.isra.0+0x10/0x10
? stack_trace_save+0x8e/0xc0
genl_rcv_msg+0x411/0x660
? __pfx_genl_rcv_msg+0x10/0x10
? __pfx_ethnl_set_features+0x10/0x10
netlink_rcv_skb+0x121/0x380
? __pfx_genl_rcv_msg+0x10/0x10
? __pfx_netlink_rcv_skb+0x10/0x10
? __pfx_down_read+0x10/0x10
genl_rcv+0x23/0x30
netlink_unicast+0x60f/0x830
? __pfx_netlink_unicast+0x10/0x10
? __pfx___alloc_skb+0x10/0x10
netlink_sendmsg+0x6ea/0xbc0
? __pfx_netlink_sendmsg+0x10/0x10
? __futex_queue+0x10b/0x1f0
____sys_sendmsg+0x7a2/0x950
? copy_msghdr_from_user+0x26b/0x430
? __pfx_____sys_sendmsg+0x10/0x10
? __pfx_copy_msghdr_from_user+0x10/0x10
___sys_sendmsg+0xf8/0x180
? __pfx____sys_sendmsg+0x10/0x10
? __pfx_futex_wait+0x10/0x10
? fdget+0x2e4/0x4a0
__sys_sendmsg+0x11f/0x1c0
? __pfx___sys_sendmsg+0x10/0x10
do_syscall_64+0xe2/0x570
? exc_page_fault+0x66/0xb0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>

This fix may be combined with another one in the ethtool subsystem:
https://lore.kernel.org/all/[email protected]/T/#u

Basic Information

ID CVE-2026-31695

Source Linux

Published May 1, 2026 at 13:53

Modified May 3, 2026 at 05:45

Affected Product

Vendor Linux

Product Linux

Version d43c65b05b848e0b2db1a6c78b02c189da3a95b5

Affected Versions Linux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5
Linux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5
Linux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5
Linux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5
Linux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5
Linux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5
Linux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5
Linux Linux 5.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free\n\nCurrently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for\nthe virt_wifi net devices. However, unregistering a virt_wifi device in\nnetdev_run_todo() can happen together with the device referenced by\nSET_NETDEV_DEV().\n\nIt can result in use-after-free during the ethtool operations performed\non a virt_wifi device that is currently being unregistered. Such a net\ndevice can have the `dev.parent` field pointing to the freed memory,\nbut ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.\n\nLet's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0\n Read of size 2 at addr ffff88810cfc46f8 by task pm/606\n\n Call Trace:\n  <TASK>\n  dump_stack_lvl+0x4d/0x70\n  print_report+0x170/0x4f3\n  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n  kasan_report+0xda/0x110\n  ? __pm_runtime_resume+0xe2/0xf0\n  ? __pm_runtime_resume+0xe2/0xf0\n  __pm_runtime_resume+0xe2/0xf0\n  ethnl_ops_begin+0x49/0x270\n  ethnl_set_features+0x23c/0xab0\n  ? __pfx_ethnl_set_features+0x10/0x10\n  ? kvm_sched_clock_read+0x11/0x20\n  ? local_clock_noinstr+0xf/0xf0\n  ? local_clock+0x10/0x30\n  ? kasan_save_track+0x25/0x60\n  ? __kasan_kmalloc+0x7f/0x90\n  ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0\n  genl_family_rcv_msg_doit+0x1e7/0x2c0\n  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10\n  ? __pfx_cred_has_capability.isra.0+0x10/0x10\n  ? stack_trace_save+0x8e/0xc0\n  genl_rcv_msg+0x411/0x660\n  ? __pfx_genl_rcv_msg+0x10/0x10\n  ? __pfx_ethnl_set_features+0x10/0x10\n  netlink_rcv_skb+0x121/0x380\n  ? __pfx_genl_rcv_msg+0x10/0x10\n  ? __pfx_netlink_rcv_skb+0x10/0x10\n  ? __pfx_down_read+0x10/0x10\n  genl_rcv+0x23/0x30\n  netlink_unicast+0x60f/0x830\n  ? __pfx_netlink_unicast+0x10/0x10\n  ? __pfx___alloc_skb+0x10/0x10\n  netlink_sendmsg+0x6ea/0xbc0\n  ? __pfx_netlink_sendmsg+0x10/0x10\n  ? __futex_queue+0x10b/0x1f0\n  ____sys_sendmsg+0x7a2/0x950\n  ? copy_msghdr_from_user+0x26b/0x430\n  ? __pfx_____sys_sendmsg+0x10/0x10\n  ? __pfx_copy_msghdr_from_user+0x10/0x10\n  ___sys_sendmsg+0xf8/0x180\n  ? __pfx____sys_sendmsg+0x10/0x10\n  ? __pfx_futex_wait+0x10/0x10\n  ? fdget+0x2e4/0x4a0\n  __sys_sendmsg+0x11f/0x1c0\n  ? __pfx___sys_sendmsg+0x10/0x10\n  do_syscall_64+0xe2/0x570\n  ? exc_page_fault+0x66/0xb0\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  </TASK>\n\nThis fix may be combined with another one in the ethtool subsystem:\nhttps://lore.kernel.org/all/[email protected]/T/#u",
    "published": "2026-05-01T13:53:36.857Z",
    "modified": "2026-05-03T05:45:20.976Z",
    "type": "cve",
    "title": "wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/e90f3e74e1ebc26c461a74be490d322716bcdcb4\nhttps://git.kernel.org/stable/c/dcb5915696bd7b32b6404a897c24ee47cb23e772\nhttps://git.kernel.org/stable/c/d1e3aa80e6e04410ba89eaaba4441a0d749d181d\nhttps://git.kernel.org/stable/c/c5fa98842783ed227365d1303785de6a67020c8d\nhttps://git.kernel.org/stable/c/5bbadf60b121065ffb267ec92018607b9c1c7524\nhttps://git.kernel.org/stable/c/5adc01506da94dfaab76f3d1b8410a8ca7bfc59d\nhttps://git.kernel.org/stable/c/789b06f9f39cdc7e895bdab2c034e39c41c8f8d6",
    "id": "CVE-2026-31695",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5\nLinux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5\nLinux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5\nLinux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5\nLinux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5\nLinux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5\nLinux Linux d43c65b05b848e0b2db1a6c78b02c189da3a95b5\nLinux Linux 5.15",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "d43c65b05b848e0b2db1a6c78b02c189da3a95b5",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply