CVE-2026-31695

High

Published: 01 May 2026

Published

01 May 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31695 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and patching of kernel flaws like the use-after-free in virt_wifi during device unregisteration.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning and monitoring to detect the presence of CVE-2026-31695 in Linux kernel versions using tools that track CVEs against deployed software.

CM-7 Least Functionality partial match

prevent

Minimizes attack surface by prohibiting or restricting nonessential kernel drivers such as virt_wifi, avoiding exposure to this driver-specific race condition.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local kernel UAF in virt_wifi driver enables arbitrary code execution via ethtool/netlink operations, directly mapping to exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for the virt_wifi net devices. However, unregistering a virt_wifi device in netdev_run_todo() can happen together with the device…

referenced by SET_NETDEV_DEV(). It can result in use-after-free during the ethtool operations performed on a virt_wifi device that is currently being unregistered. Such a net device can have the `dev.parent` field pointing to the freed memory, but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`. Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this: ================================================================== BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0 Read of size 2 at addr ffff88810cfc46f8 by task pm/606 Call Trace: <TASK> dump_stack_lvl+0x4d/0x70 print_report+0x170/0x4f3 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kasan_report+0xda/0x110 ? __pm_runtime_resume+0xe2/0xf0 ? __pm_runtime_resume+0xe2/0xf0 __pm_runtime_resume+0xe2/0xf0 ethnl_ops_begin+0x49/0x270 ethnl_set_features+0x23c/0xab0 ? __pfx_ethnl_set_features+0x10/0x10 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xf/0xf0 ? local_clock+0x10/0x30 ? kasan_save_track+0x25/0x60 ? __kasan_kmalloc+0x7f/0x90 ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0 genl_family_rcv_msg_doit+0x1e7/0x2c0 ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 ? __pfx_cred_has_capability.isra.0+0x10/0x10 ? stack_trace_save+0x8e/0xc0 genl_rcv_msg+0x411/0x660 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_ethnl_set_features+0x10/0x10 netlink_rcv_skb+0x121/0x380 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_down_read+0x10/0x10 genl_rcv+0x23/0x30 netlink_unicast+0x60f/0x830 ? __pfx_netlink_unicast+0x10/0x10 ? __pfx___alloc_skb+0x10/0x10 netlink_sendmsg+0x6ea/0xbc0 ? __pfx_netlink_sendmsg+0x10/0x10 ? __futex_queue+0x10b/0x1f0 ____sys_sendmsg+0x7a2/0x950 ? copy_msghdr_from_user+0x26b/0x430 ? __pfx_____sys_sendmsg+0x10/0x10 ? __pfx_copy_msghdr_from_user+0x10/0x10 ___sys_sendmsg+0xf8/0x180 ? __pfx____sys_sendmsg+0x10/0x10 ? __pfx_futex_wait+0x10/0x10 ? fdget+0x2e4/0x4a0 __sys_sendmsg+0x11f/0x1c0 ? __pfx___sys_sendmsg+0x10/0x10 do_syscall_64+0xe2/0x570 ? exc_page_fault+0x66/0xb0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This fix may be combined with another one in the ethtool subsystem: https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u

Deeper analysisAI

CVE-2026-31695 is a use-after-free vulnerability in the Linux kernel's virt_wifi net device driver. The issue arises when SET_NETDEV_DEV(dev, &priv->lowerdev->dev) is executed for virt_wifi devices, as unregistering the device via netdev_run_todo() can occur concurrently with operations referencing the set device. This leads to the dev.parent field pointing to freed memory, triggering a use-after-free during ethtool operations like ethnl_ops_begin(), which calls pm_runtime_get_sync(dev->dev.parent). The vulnerability was confirmed via a KASAN-reported slab-use-after-free in __pm_runtime_resume during ethtool feature setting over netlink.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs by performing ethtool operations, such as ethnl_set_features via generic netlink messages (genl_rcv_msg), on a virt_wifi device that is concurrently being unregistered. Successful exploitation can result in high confidentiality, integrity, and availability impacts, including kernel memory corruption, potential denial of service via crashes, or arbitrary code execution due to the use-after-free access.

Kernel stable patches address the issue by removing SET_NETDEV_DEV for virt_wifi devices, as detailed in commits such as 5adc01506da94dfaab76f3d1b8410a8ca7bfc59d, 5bbadf60b121065ffb267ec92018607b9c1c7524, 789b06f9f39cdc7e895bdab2c034e39c41c8f8d6, c5fa98842783ed227365d1303785de6a67020c8d, and d1e3aa80e6e04410ba89eaaba4441a0d749d181d available at git.kernel.org/stable. This fix may be combined with another in the ethtool subsystem, preventing the race condition and use-after-free during runtime power management calls. Security practitioners should update to patched kernel versions to mitigate exposure in environments using virt_wifi.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

7.0 · 5.15 — 5.15.203 · 5.16 — 6.1.168 · 6.2 — 6.6.134

CVEs Like This One

CVE-2026-23221Same product: Linux Linux Kernel

CVE-2025-21763Same product: Linux Linux Kernel

CVE-2025-21631Same product: Linux Linux Kernel

CVE-2025-21855Same product: Linux Linux Kernel

CVE-2026-23158Same product: Linux Linux Kernel

CVE-2026-22995Same product: Linux Linux Kernel

CVE-2026-31650Same product: Linux Linux Kernel

CVE-2025-21714Same product: Linux Linux Kernel

CVE-2024-57892Same product: Linux Linux Kernel

CVE-2025-21722Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/5adc01506da94dfaab76f3d1b8410a8ca7bfc59d
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5bbadf60b121065ffb267ec92018607b9c1c7524
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/789b06f9f39cdc7e895bdab2c034e39c41c8f8d6
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c5fa98842783ed227365d1303785de6a67020c8d
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d1e3aa80e6e04410ba89eaaba4441a0d749d181d
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/dcb5915696bd7b32b6404a897c24ee47cb23e772
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e90f3e74e1ebc26c461a74be490d322716bcdcb4
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67