Security Vulnerability Report
中文
CVE-2026-31780 CVSS 7.8 HIGH

CVE-2026-31780

Published: 2026-05-01 15:16:41
Last Modified: 2026-05-11 20:54:09
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation The variable valuesize is declared as u8 but accumulates the total length of all SSIDs to scan. Each SSID contributes up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10) SSIDs the total can reach 330, which wraps around to 74 when stored in a u8. This causes kmalloc to allocate only 75 bytes while the subsequent memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte heap buffer overflow. Widen valuesize from u8 to u32 to accommodate the full range.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (wilc1000 driver versions prior to fix)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC Concept for CVE-2026-31780 * This code demonstrates the logic error causing the overflow. * Compile: gcc -o poc poc.c */ #include <stdio.h> #include <stdint.h> #include <stdlib.h> #define WILC_MAX_NUM_PROBED_SSID 10 #define IEEE80211_MAX_SSID_LEN 32 // Vulnerable logic simulation void simulate_vulnerability() { uint8_t valuesize = 0; // Vulnerable type u8 int total_ssid_len = WILC_MAX_NUM_PROBED_SSID * (IEEE80211_MAX_SSID_LEN + 1); printf("[+] Simulating SSID size calculation...\n"); for (int i = 0; i < WILC_MAX_NUM_PROBED_SSID; i++) { valuesize += (IEEE80211_MAX_SSID_LEN + 1); } printf("[+] Calculated size (u8): %d\n", valuesize); printf("[+] Actual required size: %d\n", total_ssid_len); if (valuesize < total_ssid_len) { printf("[!] Integer overflow detected! Allocating %d bytes but writing %d bytes.\n", valuesize, total_ssid_len); // Simulating the kmalloc and memcpy behavior char *buffer = (char *)malloc(valuesize + 1); if (buffer) { char dummy_data[400]; // Source data larger than buffer memset(dummy_data, 'A', sizeof(dummy_data)); // This would cause heap overflow in the kernel // memcpy(buffer, dummy_data, total_ssid_len); printf("[!] In Kernel: memcpy(dst, src, %d) overflows buffer of size %d\n", total_ssid_len, valuesize); free(buffer); } } } int main() { simulate_vulnerability(); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31780", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:41.453", "lastModified": "2026-05-11T20:54:09.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation\n\nThe variable valuesize is declared as u8 but accumulates the total\nlength of all SSIDs to scan. Each SSID contributes up to 33 bytes\n(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)\nSSIDs the total can reach 330, which wraps around to 74 when stored\nin a u8.\n\nThis causes kmalloc to allocate only 75 bytes while the subsequent\nmemcpy writes up to 331 bytes into the buffer, resulting in a 256-byte\nheap buffer overflow.\n\nWiden valuesize from u8 to u32 to accommodate the full range."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2", "versionEndExcluding": "5.10.253", "matchCriteriaId": "CC85AD7F-B910-43F1-9A7F-94BC2781DACB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.168", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.134", "matchCriteriaId": "F56F925B-BAF8-4F4B-B62F-1496AF19A307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.81", "matchCriteriaId": "6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c7f21d8bd2f93998b72b7a7f93152336aeca4dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/34a23fd9ddd683a03c7e8cc0ceded3e59e354b99", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/549f02d8ec94d39092ab6d9b103d0d6783a4b024", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9907ac9b9a18b92fc34b9e4cb9e10f208dc1d3f7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bfbddeadd4779651403035ee177ae2f22f9f5521", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c97b2a00059608592ad0d86fbb813a4f8cf9464b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d049e56b1739101d1c4d81deedb269c52a8dbba0", "source": "416baaa9-dc ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.