CVE-2026-31780 Overview
CVE-2026-31780 is a heap buffer overflow vulnerability in the Linux kernel's wilc1000 WiFi driver. The flaw resides in the SSID scan buffer size calculation, where the valuesize variable is declared as u8 but accumulates the total length of all SSIDs to scan. With WILC_MAX_NUM_PROBED_SSID set to 10 and each SSID contributing up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1), the total can reach 330 bytes. This wraps around to 74 when stored in a u8, causing kmalloc to allocate only 75 bytes while the subsequent memcpy writes up to 331 bytes, producing a 256-byte heap buffer overflow.
Critical Impact
Local attackers with low privileges can trigger memory corruption in kernel space, potentially leading to privilege escalation, kernel code execution, or system crash.
Affected Products
- Linux kernel versions containing the wilc1000 WiFi driver prior to the patched commits
- Systems using Microchip WILC1000 IEEE 802.11 b/g/n wireless devices
- Embedded and IoT distributions shipping the affected kernel branches
Discovery Timeline
- 2026-05-01 - CVE-2026-31780 published to NVD
- 2026-05-03 - Last updated in NVD database
Technical Details for CVE-2026-31780
Vulnerability Analysis
The vulnerability is a classic integer truncation leading to a heap buffer overflow in the wilc1000 wireless driver. The driver iterates over a list of SSIDs to probe during a scan and accumulates the cumulative byte length into the valuesize variable. Because valuesize is typed as an unsigned 8-bit integer, any cumulative length exceeding 255 wraps around modulo 256.
When the maximum supported probed SSID count (WILC_MAX_NUM_PROBED_SSID = 10) is requested with full-length SSIDs, the true byte count reaches 330. The truncated value of 74 is then passed to kmalloc, which returns a 75-byte allocation. The driver subsequently copies the untruncated full-length data via memcpy, writing up to 331 bytes into the 75-byte allocation and overflowing 256 bytes into adjacent kernel heap memory.
Root Cause
The root cause is a numeric truncation error caused by an undersized integer type. The u8 declaration of valuesize cannot represent the maximum cumulative SSID length the function is expected to handle. The fix widens valuesize from u8 to u32, allowing the variable to hold the full possible range of cumulative SSID lengths without wrapping.
Attack Vector
Exploitation requires local access with the ability to issue scan-related operations to the wilc1000 driver, typically via standard nl80211 or wireless extension interfaces accessible to processes with CAP_NET_ADMIN. An attacker constructs a scan request specifying multiple long SSIDs that cause the cumulative length to exceed 255 bytes. The resulting heap overflow corrupts adjacent slab objects and can be shaped into kernel memory disclosure, privilege escalation, or denial of service.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The patch is distributed across multiple stable kernel branches via commits including 549f02d8 and d8388614.
Detection Methods for CVE-2026-31780
Indicators of Compromise
- Kernel oops or panic messages referencing wilc1000, kmalloc, or slab corruption following a wireless scan operation
- KASAN reports identifying out-of-bounds writes in the wilc1000 SSID scan path
- Unexpected wireless interface resets or driver reload events correlated with scan requests containing many or oversized SSIDs
Detection Strategies
- Audit kernel versions deployed across endpoints and embedded devices to identify systems running pre-patch wilc1000 driver builds.
- Monitor dmesg and syslog for slab corruption messages, KASAN warnings, or general protection faults occurring during wireless scanning.
- Inspect nl80211 scan requests for unusually large SSID lists that approach WILC_MAX_NUM_PROBED_SSID with maximum-length SSIDs.
Monitoring Recommendations
- Forward kernel ring buffer logs to a centralized SIEM and alert on wilc1000 driver crashes or recovery events.
- Track process activity invoking iw, iwlist, or custom nl80211 clients with elevated network capabilities.
- Correlate user-space wireless tooling execution with kernel anomalies on devices using Microchip WILC1000 hardware.
How to Mitigate CVE-2026-31780
Immediate Actions Required
- Apply the upstream Linux kernel patch that widens valuesize from u8 to u32 in the wilc1000 SSID scan buffer calculation.
- Update to a stable kernel release that incorporates the fix; references include the kernel.org commit 549f02d8 and commit d8388614.
- Restrict CAP_NET_ADMIN and wireless configuration privileges to trusted users only on systems using the WILC1000 driver.
Patch Information
The fix is available in the upstream Linux kernel via multiple stable branch commits, including 0c7f21d8, 34a23fd9, 549f02d8, 9907ac9b, bfbddead, c97b2a00, d049e56b, and d8388614. Distribution maintainers should rebase to a kernel containing these commits.
Workarounds
- Unload the wilc1000 kernel module on systems that do not require WILC1000 wireless functionality using modprobe -r wilc1000 and blacklist it.
- Limit scan operations on affected devices to trusted system services and prevent unprivileged users from issuing arbitrary nl80211 scan requests.
- Constrain the number and length of probed SSIDs in user-space wireless management tools until the kernel patch is deployed.
# Configuration example: blacklist the vulnerable driver until patched
echo "blacklist wilc1000" | sudo tee /etc/modprobe.d/wilc1000-cve-2026-31780.conf
sudo modprobe -r wilc1000_sdio wilc1000_spi wilc1000
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
