CVE-2026-31661
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmsmac: Fix dma_free_coherent() size
dma_alloc_consistent() may change the size to align it. The new size is saved in alloced.
Change the free size to match the allocation size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's brcmsmac WiFi driver, a DMA memory allocation size mismatch causes a use-after-free or memory corruption when freeing coherent memory.
Vulnerability
CVE-2026-31661 is a bug in the Linux kernel's brcmsmac wireless driver. The issue arises because dma_alloc_coherent() may adjust the requested allocation size to meet alignment requirements, and the driver saves this adjusted size in the alloced field. However, but then uses the original, unaligned size when calling dma_free_coherent(). This mismatch can lead to freeing the wrong amount of memory, potentially causing memory corruption or a use-after-free condition.
Exploitation
An attacker would need to be able to trigger the affected code path in the brcmsmac driver, which typically requires local access to the system and the ability to interact with the wireless interface. No special privileges beyond normal user access to the network subsystem are likely required, but the attack surface is limited to systems using the Broadcom wireless chipsets supported by this driver.
Impact
Successful exploitation could result in memory corruption, leading to system instability or a denial of service. In some cases, it might be leveraged for privilege escalation if the corruption affects kernel memory in a controlled way, though the CVE description does not specify such a scenario.
Mitigation
The fix is included in the Linux kernel stable tree via commits [1], [2], [3], and [4]. Users should update their kernel to a version containing the patch. No workaround is mentioned, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.2.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/01f1330d3d1bee07e0c42d40cc48b7be8b6dad84nvdPatch
- git.kernel.org/stable/c/0f87777b74bcce29b966ec42d9aa8f9edd9b1667nvdPatch
- git.kernel.org/stable/c/12cd7632757a54ce586e36040210b1a738a0fc53nvdPatch
- git.kernel.org/stable/c/3c204a0fd079fa7a867151a47d830ad1c2db5177nvdPatch
- git.kernel.org/stable/c/4bf41c2731a0549e21f66180ff780b1e036639abnvdPatch
- git.kernel.org/stable/c/77263f053963dea9f3962505ac0c768853d7dc59nvdPatch
- git.kernel.org/stable/c/b27fa888e4a426a3bcf6f6ab24701d888d9bf5aanvdPatch
- git.kernel.org/stable/c/f449676bab54fea1440775c8c915dadb323fe015nvdPatch
News mentions
0No linked articles in our index yet.