CVE-2026-31552
Awaiting Analysis
Awaiting Analysis - Queue
BaseFortify
Publication date: 2026-04-24
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
before skb_push"), wl1271_tx_allocate() and with it
wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
full. This causes the code to flush the buffer, put the skb back at the
head of the queue, and immediately retry the same skb in a tight while
loop.
Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
immediately with GFP_ATOMIC, this will result in an infinite loop and a
CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
the loop terminates.
The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.15.200 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 6.1.163 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 6.6.124 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 6.19.1 (inc) to 6.19.10 (exc) |
| linux | linux_kernel | From 5.10.250 (inc) to 5.10.253 (exc) |
| linux | linux_kernel | From 6.12.70 (inc) to 6.12.78 (exc) |
| linux | linux_kernel | From 6.18.10 (inc) to 6.18.20 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70