Bug 2461490 (CVE-2026-31552) - CVE-2026-31552 kernel: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
Summary: CVE-2026-31552 kernel: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if the...
Keywords:
Status: NEW
Alias: CVE-2026-31552
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 15:04 UTC by OSIDB Bzimport
Modified: 2026-04-24 17:15 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-24 15:04:36 UTC 
In the Linux kernel, the following vulnerability has been resolved:

wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom

Since upstream commit e75665dd0968 ("wifi: wlcore: ensure skb headroom
before skb_push"), wl1271_tx_allocate() and with it
wl1271_prepare_tx_frame() returns -EAGAIN if pskb_expand_head() fails.
However, in wlcore_tx_work_locked(), a return value of -EAGAIN from
wl1271_prepare_tx_frame() is interpreted as the aggregation buffer being
full. This causes the code to flush the buffer, put the skb back at the
head of the queue, and immediately retry the same skb in a tight while
loop.

Because wlcore_tx_work_locked() holds wl->mutex, and the retry happens
immediately with GFP_ATOMIC, this will result in an infinite loop and a
CPU soft lockup. Return -ENOMEM instead so the packet is dropped and
the loop terminates.

The problem was found by an experimental code review agent based on
gemini-3.1-pro while reviewing backports into v6.18.y.
Comment 1 Keith Grant 2026-04-24 17:12:04 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042427-CVE-2026-31552-505c@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.