CVE-2026-31780
Published: 01 May 2026
Summary
CVE-2026-31780 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31780 is a heap buffer overflow vulnerability in the Linux kernel's WILC1000 WiFi driver. The flaw stems from the use of a u8 variable, valuesize, to accumulate the total length of SSIDs for a scan buffer. With up to WILC_MAX_NUM_PROBED_SSID (10) SSIDs, each contributing up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1), the total can reach 330 bytes. Stored in a u8, this overflows to 74, causing kmalloc to allocate only 75 bytes, while a subsequent memcpy writes up to 331 bytes, resulting in a 256-byte heap overflow.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A local attacker with low privileges can exploit it by triggering an SSID scan with multiple long SSIDs, leading to the buffer overflow. Successful exploitation could allow arbitrary code execution, data corruption, or system denial of service with high impact on confidentiality, integrity, and availability.
Mitigation is provided through kernel patches in stable releases, which widen valuesize from u8 to u32 to handle the full buffer size range without overflow. Relevant commits include: https://git.kernel.org/stable/c/0c7f21d8bd2f93998b72b7a7f93152336aeca4dd, https://git.kernel.org/stable/c/34a23fd9ddd683a03c7e8cc0ceded3e59e354b99, https://git.kernel.org/stable/c/549f02d8ec94d39092ab6d9b103d0d6783a4b024, https://git.kernel.org/stable/c/9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7, and https://git.kernel.org/stable/c/bfbddeadd4779651403035ee177ae2f22f9f5521. Security practitioners should ensure affected systems receive these updates.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26593
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation The variable valuesize is declared as u8 but accumulates the total length of all SSIDs to scan. Each SSID…
more
contributes up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10) SSIDs the total can reach 330, which wraps around to 74 when stored in a u8. This causes kmalloc to allocate only 75 bytes while the subsequent memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte heap buffer overflow. Widen valuesize from u8 to u32 to accommodate the full range.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel heap buffer overflow (AV:L/PR:L) in WiFi driver directly enables arbitrary code execution for privilege escalation via crafted SSID scan input.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely patching of the heap buffer overflow flaw in the Linux kernel's WILC1000 WiFi driver as provided in stable kernel releases.
Implements memory safeguards like address space randomization and non-executable heap memory to mitigate exploitation of the heap buffer overflow.
Enables vulnerability scanning to identify the presence of CVE-2026-31780 in deployed Linux kernels with the WILC1000 driver.