CVE-2026-31548
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
When the nl80211 socket that originated a PMSR request is closed, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules pmsr_free_wk to process the abort asynchronously. If the interface is concurrently torn down before that work runs, cfg80211_pmsr_wdev_down() calls cfg80211_pmsr_process_abort() directly. However, the already- scheduled pmsr_free_wk work item remains pending and may run after the interface has been removed from the driver. This could cause the driver's abort_pmsr callback to operate on a torn-down interface, leading to undefined behavior and potential crashes.
Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() before calling cfg80211_pmsr_process_abort(). This ensures any pending or in-progress work is drained before interface teardown proceeds, preventing the work from invoking the driver abort callback after the interface is gone.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's cfg80211, a failure to cancel the pmsr_free_wk work item during interface teardown could let a driver abort callback run after the interface is gone, causing undefined behavior.
Vulnerability
Overview
CVE-2026-31548 is a use-after-free style race condition in the Linux kernel's cfg80211 wireless configuration subsystem. The bug occurs in the handling of Per Station Measurement Request (PMSR) operations. When a user-space application closes an nl80211 socket that originated a PMSR request, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules the pmsr_free_wk workqueue item to process the abort asynchronously [1]. If the wireless interface is concurrently torn down (via cfg80211_pmsr_wdev_down()) before that scheduled work runs, the function calls cfg80211_pmsr_process_abort() directly. However, the previously scheduled pmsr_free_wk remains pending and can later execute after the interface has already been removed from the driver [2].
Exploitation and
Impact
An attacker with local access and the ability to trigger both a PMSR request and an interface teardown can exploit this ordering race. Specifically, the attacker needs to open an nl80211 socket, initiate a PMSR measurement, and then rapidly close that socket while simultaneously removing the wireless interface (e.g., via a netlink NL80211_CMD_DEL_INTERFACE call). Because the pmsr_free_wk is not cancelled before the synchronous abort in cfg80211_pmsr_wdev_down(), the driver's abort_pmsr callback may be invoked on a torn-down, invalid interface object [3]. This can lead to undefined behavior, memory corruption, or a system crash (kernel panic). The CVSS v3 score of 7.8 reflects the high severity due to the potential for denial-of-service or privilege escalation from a local attacker [4].
Mitigation
The fix, merged into the Linux kernel, adds a synchronous cancel_work_sync() on pmsr_free_wk at the beginning of cfg80211_pmsr_wdev_down(), before the abort processing. This ensures that any pending or in-progress work is drained before the interface teardown proceeds, preventing the work from invoking the driver callback after the interface is gone [1][2]. The patch has been backported to multiple stable kernel branches. Users and distribution maintainers should apply the latest updates to their kernels.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.0.1,<6.1.167
- cpe:2.3:o:linux:linux_kernel:5.0:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/28d3551f8d8cb3aec7497894d94150fe84d20e5envdPatch
- git.kernel.org/stable/c/37e776e2e0a523731e2470dce6d563f0e8632a40nvdPatch
- git.kernel.org/stable/c/6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09nvdPatch
- git.kernel.org/stable/c/72b7ea786b8e570ae11149e9089859a4a8634a13nvdPatch
- git.kernel.org/stable/c/a1b7a843f12a0c3e9d3a2ca607ce451916ef42cfnvdPatch
- git.kernel.org/stable/c/d32c07ef1880fe20cf4ab223dbfedc9c0b2816aanvdPatch
News mentions
0No linked articles in our index yet.