Cyber Resilience

CVE-2026-31552

HighDDoS

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0009 26.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31552 is a high-severity Infinite Loop (CWE-835) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31552 is a vulnerability in the Linux kernel's wlcore WiFi driver, specifically affecting the wl1271_tx_allocate() and wl1271_prepare_tx_frame() functions. Following an upstream commit that ensures sufficient skb headroom before skb_push, these functions return -EAGAIN when pskb_expand_head() fails due to insufficient headroom. However, in wlcore_tx_work_locked(), this -EAGAIN is misinterpreted as the aggregation buffer being full, triggering a retry mechanism that flushes the buffer, requeues the skb, and loops indefinitely while holding wl->mutex and using GFP_ATOMIC allocations. This results in a CPU soft lockup, classified under CWE-835 (Loop with Unreachable Exit Condition), with a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An attacker with network access to a system using the wlcore driver can exploit this remotely without privileges or user interaction by sending crafted packets that trigger the headroom failure. The low attack complexity allows exploitation over the network, leading to a denial-of-service condition via CPU soft lockup, as the infinite retry loop consumes CPU resources and prevents normal operation.

The provided kernel stable commit references detail the patches, which modify wl1271_tx_allocate() to return -ENOMEM instead of -EAGAIN on headroom failure. This ensures the packet is dropped, terminating the loop and avoiding the soft lockup.

This issue was identified by an experimental code review agent based on gemini-3.1-pro during review of backports into v6.18.y, highlighting AI-assisted vulnerability detection in kernel code. No real-world exploitation is reported as of the 2026-04-24 publication.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom before skb_push"), wl1271_tx_allocate() and with it wl1271_prepare_tx_frame() returns…

more

-EAGAIN if pskb_expand_head() fails. However, in wlcore_tx_work_locked(), a return value of -EAGAIN from wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being full. This causes the code to flush the buffer, put the skb back at the head of the queue, and immediately retry the same skb in a tight while loop. Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens immediately with GFP_ATOMIC, this will result in an infinite loop and a CPU soft lockup. Return -ENOMEM instead so the packet is dropped and the loop terminates. The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gemini

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE directly enables remote DoS via crafted WiFi packets triggering infinite loop/soft lockup in kernel driver (CWE-835), matching Application or System Exploitation under Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23451Same product: Linux Linux Kernel
CVE-2026-31448Same product: Linux Linux Kernel
CVE-2026-23388Same product: Linux Linux Kernel
CVE-2026-23242Same product: Linux Linux Kernel
CVE-2026-22991Same product: Linux Linux Kernel
CVE-2025-21717Same product: Linux Linux Kernel
CVE-2026-23459Same product: Linux Linux Kernel
CVE-2026-31640Same product: Linux Linux Kernel
CVE-2026-31739Same product: Linux Linux Kernel
CVE-2022-49509Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19, 7.0 · 5.10.250 — 5.10.253 · 5.15.200 — 5.15.203 · 6.1.163 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying the specific kernel patch that returns -ENOMEM instead of -EAGAIN on headroom failure directly remediates the infinite loop causing CPU soft lockup.

prevent

Effective error handling prevents misinterpretation of -EAGAIN as buffer full, avoiding the retry loop under mutex lock with GFP_ATOMIC allocations.

prevent

Denial-of-service protection mechanisms limit the impact of crafted packets triggering the wlcore driver's infinite retry loop and CPU exhaustion.

References