CVE-2026-31552
Published: 24 April 2026
Summary
CVE-2026-31552 is a high-severity Infinite Loop (CWE-835) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying the specific kernel patch that returns -ENOMEM instead of -EAGAIN on headroom failure directly remediates the infinite loop causing CPU soft lockup.
Effective error handling prevents misinterpretation of -EAGAIN as buffer full, avoiding the retry loop under mutex lock with GFP_ATOMIC allocations.
Denial-of-service protection mechanisms limit the impact of crafted packets triggering the wlcore driver's infinite retry loop and CPU exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly enables remote DoS via crafted WiFi packets triggering infinite loop/soft lockup in kernel driver (CWE-835), matching Application or System Exploitation under Endpoint DoS.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push"), wl1271_tx_allocate() and with it wl1271_prepare_tx_frame() returns…
more
-EAGAIN if pskb_expand_head() fails. However, in wlcore_tx_work_locked(), a return value of -EAGAIN from wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being full. This causes the code to flush the buffer, put the skb back at the head of the queue, and immediately retry the same skb in a tight while loop. Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens immediately with GFP_ATOMIC, this will result in an infinite loop and a CPU soft lockup. Return -ENOMEM instead so the packet is dropped and the loop terminates. The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y.
Deeper analysisAI
CVE-2026-31552 is a vulnerability in the Linux kernel's wlcore WiFi driver, specifically affecting the wl1271_tx_allocate() and wl1271_prepare_tx_frame() functions. Following an upstream commit that ensures sufficient skb headroom before skb_push, these functions return -EAGAIN when pskb_expand_head() fails due to insufficient headroom. However, in wlcore_tx_work_locked(), this -EAGAIN is misinterpreted as the aggregation buffer being full, triggering a retry mechanism that flushes the buffer, requeues the skb, and loops indefinitely while holding wl->mutex and using GFP_ATOMIC allocations. This results in a CPU soft lockup, classified under CWE-835 (Loop with Unreachable Exit Condition), with a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An attacker with network access to a system using the wlcore driver can exploit this remotely without privileges or user interaction by sending crafted packets that trigger the headroom failure. The low attack complexity allows exploitation over the network, leading to a denial-of-service condition via CPU soft lockup, as the infinite retry loop consumes CPU resources and prevents normal operation.
The provided kernel stable commit references detail the patches, which modify wl1271_tx_allocate() to return -ENOMEM instead of -EAGAIN on headroom failure. This ensures the packet is dropped, terminating the loop and avoiding the soft lockup.
This issue was identified by an experimental code review agent based on gemini-3.1-pro during review of backports into v6.18.y, highlighting AI-assisted vulnerability detection in kernel code. No real-world exploitation is reported as of the 2026-04-24 publication.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: gemini