CVE-2026-31695
Received Received - Intake
Use-After-Free in Linux Kernel virt_wifi Driver

Publication date: 2026-05-01

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for the virt_wifi net devices. However, unregistering a virt_wifi device in netdev_run_todo() can happen together with the device referenced by SET_NETDEV_DEV(). It can result in use-after-free during the ethtool operations performed on a virt_wifi device that is currently being unregistered. Such a net device can have the `dev.parent` field pointing to the freed memory, but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`. Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this: ================================================================== BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0 Read of size 2 at addr ffff88810cfc46f8 by task pm/606 Call Trace: <TASK> dump_stack_lvl+0x4d/0x70 print_report+0x170/0x4f3 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kasan_report+0xda/0x110 ? __pm_runtime_resume+0xe2/0xf0 ? __pm_runtime_resume+0xe2/0xf0 __pm_runtime_resume+0xe2/0xf0 ethnl_ops_begin+0x49/0x270 ethnl_set_features+0x23c/0xab0 ? __pfx_ethnl_set_features+0x10/0x10 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xf/0xf0 ? local_clock+0x10/0x30 ? kasan_save_track+0x25/0x60 ? __kasan_kmalloc+0x7f/0x90 ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0 genl_family_rcv_msg_doit+0x1e7/0x2c0 ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 ? __pfx_cred_has_capability.isra.0+0x10/0x10 ? stack_trace_save+0x8e/0xc0 genl_rcv_msg+0x411/0x660 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_ethnl_set_features+0x10/0x10 netlink_rcv_skb+0x121/0x380 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_down_read+0x10/0x10 genl_rcv+0x23/0x30 netlink_unicast+0x60f/0x830 ? __pfx_netlink_unicast+0x10/0x10 ? __pfx___alloc_skb+0x10/0x10 netlink_sendmsg+0x6ea/0xbc0 ? __pfx_netlink_sendmsg+0x10/0x10 ? __futex_queue+0x10b/0x1f0 ____sys_sendmsg+0x7a2/0x950 ? copy_msghdr_from_user+0x26b/0x430 ? __pfx_____sys_sendmsg+0x10/0x10 ? __pfx_copy_msghdr_from_user+0x10/0x10 ___sys_sendmsg+0xf8/0x180 ? __pfx____sys_sendmsg+0x10/0x10 ? __pfx_futex_wait+0x10/0x10 ? fdget+0x2e4/0x4a0 __sys_sendmsg+0x11f/0x1c0 ? __pfx___sys_sendmsg+0x10/0x10 do_syscall_64+0xe2/0x570 ? exc_page_fault+0x66/0xb0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This fix may be combined with another one in the ethtool subsystem: https://lore.kernel.org/all/[email protected]/T/#u
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31695
EUVD
EUVD-2026-26504
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 5.15 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's virt_wifi network devices. It involves a use-after-free bug caused by the execution of the SET_NETDEV_DEV macro, which sets a device pointer that can become invalid during device unregistration. Specifically, when a virt_wifi device is being unregistered, the device referenced by SET_NETDEV_DEV may be freed, but operations like ethtool can still access this freed memory, leading to a use-after-free condition.

The issue arises because the dev.parent field of the virt_wifi device can point to freed memory, and functions such as ethnl_ops_begin() call pm_runtime_get_sync() on this invalid pointer, causing memory safety violations.

The fix involved removing the SET_NETDEV_DEV call for virt_wifi devices to prevent these use-after-free bugs.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free memory errors in the Linux kernel when performing operations on virt_wifi devices that are being unregistered. Such memory errors can cause system instability, crashes, or potentially allow attackers to execute arbitrary code or escalate privileges if they can trigger these conditions.

Because it involves kernel memory corruption, it may compromise the reliability and security of systems using affected Linux kernel versions with virt_wifi devices.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves a use-after-free bug in the Linux kernel's virt_wifi net devices during ethtool operations. Detection would typically involve monitoring for kernel warnings or errors related to use-after-free conditions, such as KASAN (Kernel Address Sanitizer) reports.

You can check your system logs (e.g., dmesg or journalctl) for messages indicating KASAN slab-use-after-free errors related to __pm_runtime_resume or ethnl_ops_begin.

Example commands to detect such issues include:

  • dmesg | grep -i kasan
  • journalctl -k | grep -i kasan
  • ethtool <virt_wifi_device> to trigger ethtool operations and observe if any kernel errors occur.

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by removing the SET_NETDEV_DEV call for virt_wifi devices to avoid use-after-free bugs during device unregistration.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix removing SET_NETDEV_DEV for virt_wifi devices.
  • Avoid performing ethtool operations on virt_wifi devices that may be in the process of being unregistered.
  • Monitor kernel logs for related errors and avoid using affected kernel versions in production environments.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart