CVE-2026-31548
Published: 24 April 2026
Summary
CVE-2026-31548 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-3 (Configuration Change Control).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly and comprehensively mitigates CVE-2026-31548 by requiring identification, prioritization, and timely patching of the kernel race condition in the cfg80211 PMSR handling.
Addresses detection of the vulnerable kernel versions affected by CVE-2026-31548 through vulnerability scanning, enabling subsequent remediation.
Ensures controlled and approved application of kernel patches fixing CVE-2026-31548 via configuration change processes, preventing improper or unverified updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel race condition in cfg80211 enables memory corruption/undefined behavior after interface teardown; directly supports local privilege escalation via exploitation (T1068) and can be abused for targeted endpoint DoS through system crash (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down When the nl80211 socket that originated a PMSR request is closed, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules pmsr_free_wk to process the…
more
abort asynchronously. If the interface is concurrently torn down before that work runs, cfg80211_pmsr_wdev_down() calls cfg80211_pmsr_process_abort() directly. However, the already- scheduled pmsr_free_wk work item remains pending and may run after the interface has been removed from the driver. This could cause the driver's abort_pmsr callback to operate on a torn-down interface, leading to undefined behavior and potential crashes. Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() before calling cfg80211_pmsr_process_abort(). This ensures any pending or in-progress work is drained before interface teardown proceeds, preventing the work from invoking the driver abort callback after the interface is gone.
Deeper analysisAI
CVE-2026-31548 is a race condition vulnerability in the Linux kernel's cfg80211 subsystem, specifically affecting the handling of Periodic Measurement and Sensing Requests (PMSR). When the nl80211 socket originating a PMSR request closes, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules the pmsr_free_wk work item to process the abort asynchronously. If the wireless interface is torn down concurrently before this work runs, cfg80211_pmsr_wdev_down() calls cfg80211_pmsr_process_abort() directly, but the pending pmsr_free_wk may execute afterward. This results in the driver's abort_pmsr callback operating on a removed interface, leading to undefined behavior and potential crashes. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by closing an nl80211 socket with a pending PMSR request while concurrently triggering interface teardown, such as through interface down commands. Successful exploitation triggers the race, causing the pending work item to invoke the driver callback post-teardown, resulting in kernel crashes or other undefined behaviors that compromise system confidentiality, integrity, and availability at high impact levels.
Kernel patches addressing this issue are available in stable branches via the referenced commits, which modify cfg80211_pmsr_wdev_down() to synchronously cancel pmsr_free_wk before invoking cfg80211_pmsr_process_abort(). This drains any pending or in-progress work, preventing the driver callback from executing after interface removal and allowing safe teardown. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)