Home

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down When the nl80211 socket that originated a PMSR request is closed, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules pmsr_free_wk to process the abort asynchronously. If the interface is concurrently torn down before that work runs, cfg80211_pmsr_wdev_down() calls cfg80211_pmsr_process_abort() directly. However, the already- scheduled pmsr_free_wk work item remains pending and may run after the interface has been removed from the driver. This could cause the driver's abort_pmsr callback to operate on a torn-down interface, leading to undefined behavior and potential crashes. Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() before calling cfg80211_pmsr_process_abort(). This ensures any pending or in-progress work is drained before interface teardown proceeds, preventing the work from invoking the driver abort callback after the interface is gone.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-24 | Updated 2026-04-27 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

9bb7e0f24e7e7d00daa1219b14539e2e602649b2 (git) before 28d3551f8d8cb3aec7497894d94150fe84d20e5e
affected

9bb7e0f24e7e7d00daa1219b14539e2e602649b2 (git) before 37e776e2e0a523731e2470dce6d563f0e8632a40
affected

9bb7e0f24e7e7d00daa1219b14539e2e602649b2 (git) before d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa
affected

9bb7e0f24e7e7d00daa1219b14539e2e602649b2 (git) before a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf
affected

9bb7e0f24e7e7d00daa1219b14539e2e602649b2 (git) before 72b7ea786b8e570ae11149e9089859a4a8634a13
affected

9bb7e0f24e7e7d00daa1219b14539e2e602649b2 (git) before 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09
affected

Default status
affected

5.0
affected

Any version before 5.0
unaffected

6.1.167 (semver)
unaffected

6.6.130 (semver)
unaffected

6.12.78 (semver)
unaffected

6.18.20 (semver)
unaffected

6.19.10 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/28d3551f8d8cb3aec7497894d94150fe84d20e5e

git.kernel.org/...c/37e776e2e0a523731e2470dce6d563f0e8632a40

git.kernel.org/...c/d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa

git.kernel.org/...c/a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf

git.kernel.org/...c/72b7ea786b8e570ae11149e9089859a4a8634a13

git.kernel.org/...c/6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09

cve.org (CVE-2026-31548)

nvd.nist.gov (CVE-2026-31548)

Download JSON