CVE-2026-31695 PUBLISHED

wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free

Assigner: Linux
Reserved: 09.03.2026 Published: 01.05.2026 Updated: 01.05.2026

In the Linux kernel, the following vulnerability has been resolved:

wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free

Currently we execute SET_NETDEV_DEV(dev, &priv->lowerdev->dev) for the virt_wifi net devices. However, unregistering a virt_wifi device in netdev_run_todo() can happen together with the device referenced by SET_NETDEV_DEV().

It can result in use-after-free during the ethtool operations performed on a virt_wifi device that is currently being unregistered. Such a net device can have the dev.parent field pointing to the freed memory, but ethnl_ops_begin() calls pm_runtime_get_sync(dev->dev.parent).

Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:

================================================================== BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0 Read of size 2 at addr ffff88810cfc46f8 by task pm/606

Call Trace: <TASK> dump_stack_lvl+0x4d/0x70 print_report+0x170/0x4f3 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 kasan_report+0xda/0x110 ? __pm_runtime_resume+0xe2/0xf0 ? __pm_runtime_resume+0xe2/0xf0 __pm_runtime_resume+0xe2/0xf0 ethnl_ops_begin+0x49/0x270 ethnl_set_features+0x23c/0xab0 ? __pfx_ethnl_set_features+0x10/0x10 ? kvm_sched_clock_read+0x11/0x20 ? local_clock_noinstr+0xf/0xf0 ? local_clock+0x10/0x30 ? kasan_save_track+0x25/0x60 ? __kasan_kmalloc+0x7f/0x90 ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0 genl_family_rcv_msg_doit+0x1e7/0x2c0 ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 ? __pfx_cred_has_capability.isra.0+0x10/0x10 ? stack_trace_save+0x8e/0xc0 genl_rcv_msg+0x411/0x660 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_ethnl_set_features+0x10/0x10 netlink_rcv_skb+0x121/0x380 ? __pfx_genl_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_down_read+0x10/0x10 genl_rcv+0x23/0x30 netlink_unicast+0x60f/0x830 ? __pfx_netlink_unicast+0x10/0x10 ? __pfxallocskb+0x10/0x10 netlink_sendmsg+0x6ea/0xbc0 ? pfx_netlink_sendmsg+0x10/0x10 ? __futex_queue+0x10b/0x1f0 _syssendmsg+0x7a2/0x950 ? copy_msghdr_from_user+0x26b/0x430 ? pfx_sys_sendmsg+0x10/0x10 ? pfx_copy_msghdr_from_user+0x10/0x10 syssendmsg+0xf8/0x180 ? pfx_syssendmsg+0x10/0x10 ? pfx_futex_wait+0x10/0x10 ? fdget+0x2e4/0x4a0 __sys_sendmsg+0x11f/0x1c0 ? __pfx___sys_sendmsg+0x10/0x10 do_syscall_64+0xe2/0x570 ? exc_page_fault+0x66/0xb0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK>

This fix may be combined with another one in the ethtool subsystem: https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from d43c65b05b848e0b2db1a6c78b02c189da3a95b5 to e90f3e74e1ebc26c461a74be490d322716bcdcb4 (excl.)
  • affected from d43c65b05b848e0b2db1a6c78b02c189da3a95b5 to dcb5915696bd7b32b6404a897c24ee47cb23e772 (excl.)
  • affected from d43c65b05b848e0b2db1a6c78b02c189da3a95b5 to d1e3aa80e6e04410ba89eaaba4441a0d749d181d (excl.)
  • affected from d43c65b05b848e0b2db1a6c78b02c189da3a95b5 to c5fa98842783ed227365d1303785de6a67020c8d (excl.)
  • affected from d43c65b05b848e0b2db1a6c78b02c189da3a95b5 to 5bbadf60b121065ffb267ec92018607b9c1c7524 (excl.)
  • affected from d43c65b05b848e0b2db1a6c78b02c189da3a95b5 to 5adc01506da94dfaab76f3d1b8410a8ca7bfc59d (excl.)
  • affected from d43c65b05b848e0b2db1a6c78b02c189da3a95b5 to 789b06f9f39cdc7e895bdab2c034e39c41c8f8d6 (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.15 is affected
  • unaffected from 0 to 5.15 (excl.)
  • unaffected from 5.15.203 to 5.15.* (incl.)
  • unaffected from 6.1.168 to 6.1.* (incl.)
  • unaffected from 6.6.134 to 6.6.* (incl.)
  • unaffected from 6.12.81 to 6.12.* (incl.)
  • unaffected from 6.18.22 to 6.18.* (incl.)
  • unaffected from 6.19.12 to 6.19.* (incl.)
  • unaffected from 7.0 to * (incl.)

References