CVE-2026-31779
Published: 01 May 2026
Summary
CVE-2026-31779 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31779 is a vulnerability in the Linux kernel's iwlwifi driver, specifically within the mvm component's iwl_mvm_nd_match_info_handler() function. It stems from a memcpy operation that assumes the dynamic array notif->matches is at least as large as the number of bytes to be copied, potentially leading to an out-of-bounds read if the packet length is insufficient. This could result in results->matches containing unwanted data. The issue affects systems using the iwlwifi driver for Intel WiFi hardware and was discovered by the Linux Verification Center using SVACE static analysis.
An attacker with adjacent network access (AV:A) can exploit this vulnerability with low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). Successful exploitation enables high-impact confidentiality loss (C:H), such as leakage of sensitive data from kernel memory, and high-impact availability disruption (A:H), potentially causing denial of service via crashes, while maintaining unchanged scope (S:U). The CVSS v3.1 base score is 8.1, reflecting its severity in WiFi-enabled environments.
Mitigation is provided through upstream kernel patches available in the Linux stable repository. Key commits, such as 744fabc338e87b95c4d1ff7c95bc8c0f834c6d99, ca0e9491b98ca4c5b44204b0b3dd8062a3b5fba2, dd90880eb5ec5442b37eb2b95688f4a63f4883e3, e67d8c626ace80b0fa2b48c8ec0a46b508c93442, and f6abac936a0dfd31d6c3e49205ec0ee75a8f887f, extend validation checks to ensure the packet length is sufficient before performing the memcpy, preventing the out-of-bounds read. Security practitioners should update to kernels incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26592
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler() The memcpy function assumes the dynamic array notif->matches is at least as large as the number of bytes to copy. Otherwise,…
more
results->matches may contain unwanted data. To guarantee safety, extend the validation in one of the checks to ensure sufficient packet length. Found by Linux Verification Center (linuxtesting.org) with SVACE.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in WiFi driver enables kernel memory disclosure for credential access via exploitation (T1212) and system crashes for DoS via application/system exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through upstream kernel patches directly corrects the insufficient packet length validation before memcpy, eliminating the out-of-bounds read vulnerability.
Mandates validation of information inputs such as WiFi packet lengths to ensure they match expected sizes, preventing memcpy operations from accessing uninitialized or out-of-bounds memory.
Provides memory safeguards like kernel address space isolation and protections against unauthorized memory access, mitigating potential leakage and crashes from out-of-bounds reads.