CVE-2026-31661 Overview
A memory management vulnerability has been identified in the Linux kernel's brcmsmac WiFi driver. The issue stems from a size mismatch between DMA memory allocation and deallocation operations. When dma_alloc_consistent() is called, it may adjust the requested size for alignment purposes and store the actual allocated size in the alloced variable. However, the corresponding dma_free_coherent() call was using the original requested size rather than the adjusted allocation size, leading to improper memory handling.
Critical Impact
This vulnerability can cause system instability and denial of service conditions on systems using Broadcom wireless adapters with the brcmsmac driver, as improper DMA memory handling can lead to kernel crashes or memory corruption.
Affected Products
- Linux Kernel version 3.2 and later
- Linux Kernel version 7.0 release candidates (rc1 through rc7)
- Systems using Broadcom wireless chipsets with the brcmsmac driver
Discovery Timeline
- 2026-04-24 - CVE-2026-31661 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31661
Vulnerability Analysis
This vulnerability exists in the brcmsmac wireless driver's DMA memory management code. The DMA (Direct Memory Access) subsystem in Linux requires precise size tracking for memory allocations because the hardware DMA controller operates with specific alignment requirements. When allocating DMA-coherent memory using dma_alloc_consistent(), the kernel may round up the requested size to meet alignment constraints, storing the actual allocated size in a tracking variable called alloced.
The flaw occurs because the deallocation path was not using this tracked size. Instead, it passed the original requested size to dma_free_coherent(), creating a mismatch between what was allocated and what is being freed. This discrepancy can result in incomplete memory frees, memory leaks, or corruption of DMA memory pool metadata.
Root Cause
The root cause is an inconsistency in how the brcmsmac driver tracks DMA memory sizes. The dma_alloc_consistent() function aligns memory to hardware requirements and saves the true allocation size in the alloced field. However, dma_free_coherent() was incorrectly called with the pre-alignment size value instead of reading from alloced. This violates the DMA API contract which requires that the size passed to the free function must exactly match the size used during allocation.
Attack Vector
This vulnerability requires local access to the system. An attacker with local privileges could potentially trigger repeated WiFi driver operations that cause DMA allocation and deallocation cycles, leading to memory corruption or resource exhaustion. The attack surface is limited to systems with Broadcom wireless hardware using the brcmsmac driver. While the vulnerability primarily results in availability impact (denial of service through system instability), the memory corruption aspects could potentially be leveraged in more sophisticated attack chains.
The fix involves changing the free operation to use the alloced variable that contains the correct aligned size, ensuring the freed size matches the allocated size. Patches have been backported across multiple kernel stable branches.
Detection Methods for CVE-2026-31661
Indicators of Compromise
- Kernel log messages indicating DMA memory errors or warnings from the brcmsmac driver
- System crashes or kernel panics occurring during WiFi operations
- Memory allocation failures in kernel space related to DMA operations
- Unusual memory consumption patterns in the kernel DMA pool
Detection Strategies
- Monitor kernel logs (dmesg) for warnings or errors from the brcmsmac or DMA subsystems
- Use kernel memory debugging tools like KASAN (Kernel Address Sanitizer) to detect memory inconsistencies
- Implement system monitoring for unexpected kernel crashes on systems with Broadcom wireless hardware
- Review loaded kernel modules with lsmod | grep brcmsmac to identify vulnerable systems
Monitoring Recommendations
- Enable kernel DMA debugging options in development or test environments to catch size mismatches
- Configure automated alerts for kernel panic events on affected systems
- Monitor system stability metrics for systems using Broadcom wireless adapters
- Implement regular kernel version audits to identify unpatched systems
How to Mitigate CVE-2026-31661
Immediate Actions Required
- Update to a patched Linux kernel version that includes the fix
- If immediate patching is not possible, consider temporarily disabling the brcmsmac driver and using alternative network connectivity
- Monitor affected systems for stability issues until patches can be applied
- Review kernel version and backport availability for your distribution
Patch Information
The Linux kernel development team has released patches across multiple stable branches to address this vulnerability. The fix modifies the dma_free_coherent() call to use the alloced variable that stores the actual allocation size, ensuring consistency between allocation and deallocation operations.
Patches are available via the following kernel git commits:
- Kernel Git Commit 01f1330d
- Kernel Git Commit 0f87777b
- Kernel Git Commit 12cd7632
- Kernel Git Commit 3c204a0f
- Kernel Git Commit 4bf41c27
- Kernel Git Commit 77263f05
- Kernel Git Commit b27fa888
- Kernel Git Commit f449676b
Workarounds
- Blacklist the brcmsmac driver by adding blacklist brcmsmac to /etc/modprobe.d/blacklist.conf if the wireless functionality is not required
- Use alternative wireless drivers if available for your hardware (e.g., brcmfmac for newer Broadcom chips)
- Disable WiFi hardware via BIOS/UEFI settings as a temporary measure on critical systems
- Implement network segmentation to limit exposure of affected systems
# Blacklist brcmsmac driver as a temporary workaround
echo "blacklist brcmsmac" | sudo tee /etc/modprobe.d/brcmsmac-blacklist.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
