CVE-2026-31670 Overview
CVE-2026-31670 is a resource exhaustion vulnerability in the Linux kernel's rfkill subsystem. The vulnerability allows local users to create an unlimited number of rfkill events when the system is appropriately configured, without consuming them from the rfkill file descriptor. This behavior can lead to memory exhaustion and denial of service conditions on affected systems.
Critical Impact
Local attackers can cause system-wide denial of service by exhausting available memory through unbounded rfkill event creation, potentially causing system instability or crashes.
Affected Products
- Linux Kernel versions 2.6.31 and later
- Linux Kernel 7.0 release candidates (rc1 through rc7)
- Various Linux Kernel stable branches prior to patched versions
Discovery Timeline
- April 24, 2026 - CVE-2026-31670 published to NVD
- April 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31670
Vulnerability Analysis
The rfkill subsystem in the Linux kernel provides a generic interface for disabling radio transmitters (such as WiFi, Bluetooth, and cellular modems). This vulnerability exists in the event handling mechanism of the rfkill subsystem, where userspace processes can generate events that are queued for consumption via the rfkill file descriptor.
The core issue stems from the lack of bounds checking on the number of pending rfkill events that can accumulate in the kernel. When a userspace process opens the rfkill device but fails to read (consume) the events from the file descriptor, the kernel continues to queue new events without limit. This unbounded queue growth directly consumes kernel memory, which cannot be reclaimed until the events are either consumed or the file descriptor is closed.
The attack requires local access with low privileges, and no user interaction is necessary to trigger the condition. The vulnerability impacts system availability without affecting confidentiality or integrity of data.
Root Cause
The root cause of this vulnerability is the absence of a maximum limit on the number of pending rfkill events that can be queued in the kernel. The rfkill event queue was implemented without considering the scenario where a malicious or misbehaving userspace application would intentionally or accidentally create events faster than they are consumed, leading to unbounded memory allocation.
Attack Vector
The attack requires local access to the system with the ability to interact with the rfkill subsystem. An attacker can exploit this vulnerability by:
- Opening the /dev/rfkill device or using the rfkill netlink interface
- Triggering rfkill state changes to generate events (e.g., toggling airplane mode, enabling/disabling wireless interfaces)
- Intentionally not reading from the rfkill file descriptor to prevent event consumption
- Continuously generating new events until kernel memory is exhausted
The vulnerability is particularly concerning on systems where unprivileged users have access to the rfkill interface, such as laptops or mobile devices with user-accessible wireless controls.
The fix implemented by the kernel developers bounds the number of pending rfkill events to a maximum of 1000 events, preventing memory exhaustion attacks while still allowing legitimate high-volume rfkill operations.
Detection Methods for CVE-2026-31670
Indicators of Compromise
- Abnormally high memory consumption by kernel processes without corresponding userspace activity
- Rapid increase in /proc/meminfo MemFree values decreasing while no heavy applications are running
- Processes with open file descriptors to /dev/rfkill that are not actively reading from the device
Detection Strategies
- Monitor for unusual patterns of rfkill event generation using dmesg or kernel logging facilities
- Implement memory usage monitoring with alerts for unexpected kernel memory consumption
- Use kernel auditing (auditd) to track access to /dev/rfkill and rfkill-related syscalls
Monitoring Recommendations
- Deploy SentinelOne agents configured to monitor kernel memory allocation patterns and detect anomalous resource consumption
- Set up alerting thresholds for system memory exhaustion conditions on affected Linux systems
- Monitor for repeated rfkill state transitions that may indicate exploitation attempts
How to Mitigate CVE-2026-31670
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the event limit fix
- Review and restrict access to /dev/rfkill to only necessary users and processes
- Implement resource limits (ulimits) for processes that interact with the rfkill subsystem
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches to address this vulnerability. The fix introduces a limit of 1000 pending rfkill events to prevent unbounded memory consumption. Patched commits are available in the kernel git repository:
- Kernel Git Commit 4bcd1615
- Kernel Git Commit 673d2a3e
- Kernel Git Commit 80ce4cb0
- Kernel Git Commit 82843afc
- Kernel Git Commit a8c26800
- Kernel Git Commit b1e0c8d3
- Kernel Git Commit e3842779
- Kernel Git Commit ea245d78
Workarounds
- Restrict access to /dev/rfkill using filesystem permissions (chmod 600 /dev/rfkill) to limit access to root only
- Use udev rules to control which users and groups can access rfkill devices
- Implement systemd resource controls (MemoryMax) for services that interact with rfkill to limit potential impact
# Restrict rfkill device access to root only
chmod 600 /dev/rfkill
# Create udev rule to limit rfkill access (save to /etc/udev/rules.d/99-rfkill-security.rules)
KERNEL=="rfkill", MODE="0600", GROUP="root"
# Reload udev rules
udevadm control --reload-rules
udevadm trigger
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
