CVE-2026-31548

wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down

Assigner: Linux
Reserved: 09.03.2026 Published: 24.04.2026 Updated: 24.04.2026

In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down

When the nl80211 socket that originated a PMSR request is closed, cfg80211_release_pmsr() sets the request's nl_portid to zero and schedules pmsr_free_wk to process the abort asynchronously. If the interface is concurrently torn down before that work runs, cfg80211_pmsr_wdev_down() calls cfg80211_pmsr_process_abort() directly. However, the already- scheduled pmsr_free_wk work item remains pending and may run after the interface has been removed from the driver. This could cause the driver's abort_pmsr callback to operate on a torn-down interface, leading to undefined behavior and potential crashes.

Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() before calling cfg80211_pmsr_process_abort(). This ensures any pending or in-progress work is drained before interface teardown proceeds, preventing the work from invoking the driver abort callback after the interface is gone.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to 28d3551f8d8cb3aec7497894d94150fe84d20e5e (excl.) affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to 37e776e2e0a523731e2470dce6d563f0e8632a40 (excl.) affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa (excl.) affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf (excl.) affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to 72b7ea786b8e570ae11149e9089859a4a8634a13 (excl.) affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to 28d3551f8d8cb3aec7497894d94150fe84d20e5e (excl.)
affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to 37e776e2e0a523731e2470dce6d563f0e8632a40 (excl.)
affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to d32c07ef1880fe20cf4ab223dbfedc9c0b2816aa (excl.)
affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to a1b7a843f12a0c3e9d3a2ca607ce451916ef42cf (excl.)
affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to 72b7ea786b8e570ae11149e9089859a4a8634a13 (excl.)
affected from 9bb7e0f24e7e7d00daa1219b14539e2e602649b2 to 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 5.0 is affected unaffected from 0 to 5.0 (excl.) unaffected from 6.1.167 to 6.1.* (incl.) unaffected from 6.6.130 to 6.6.* (incl.) unaffected from 6.12.78 to 6.12.* (incl.) unaffected from 6.18.20 to 6.18.* (incl.) unaffected from 6.19.10 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 5.0 is affected
unaffected from 0 to 5.0 (excl.)
unaffected from 6.1.167 to 6.1.* (incl.)
unaffected from 6.6.130 to 6.6.* (incl.)
unaffected from 6.12.78 to 6.12.* (incl.)
unaffected from 6.18.20 to 6.18.* (incl.)
unaffected from 6.19.10 to 6.19.* (incl.)
unaffected from 7.0 to * (incl.)

References

CVE-2026-31548 PUBLISHED

wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down

Product Status

References