Bug 2461522 (CVE-2026-31548) - CVE-2026-31548 kernel: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
Summary: CVE-2026-31548 kernel: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_w...
Keywords:
Status: NEW
Alias: CVE-2026-31548
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-24 15:06 UTC by OSIDB Bzimport
Modified: 2026-04-24 17:05 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-24 15:06:24 UTC 
In the Linux kernel, the following vulnerability has been resolved:

wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down

When the nl80211 socket that originated a PMSR request is
closed, cfg80211_release_pmsr() sets the request's nl_portid
to zero and schedules pmsr_free_wk to process the abort
asynchronously. If the interface is concurrently torn down
before that work runs, cfg80211_pmsr_wdev_down() calls
cfg80211_pmsr_process_abort() directly. However, the already-
scheduled pmsr_free_wk work item remains pending and may run
after the interface has been removed from the driver. This
could cause the driver's abort_pmsr callback to operate on a
torn-down interface, leading to undefined behavior and
potential crashes.

Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down()
before calling cfg80211_pmsr_process_abort(). This ensures any
pending or in-progress work is drained before interface teardown
proceeds, preventing the work from invoking the driver abort
callback after the interface is gone.
Comment 1 Keith Grant 2026-04-24 17:03:01 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042425-CVE-2026-31548-3d88@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.