{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31661", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.129Z", "datePublished": "2026-04-24T14:45:11.917Z", "dateUpdated": "2026-05-11T22:13:08.559Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:13:08.559Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: Fix dma_free_coherent() size\n\ndma_alloc_consistent() may change the size to align it. The new size is\nsaved in alloced.\n\nChange the free size to match the allocation size."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c"], "versions": [{"version": "5b435de0d786869c95d1962121af0d7df2542009", "lessThan": "f449676bab54fea1440775c8c915dadb323fe015", "status": "affected", "versionType": "git"}, {"version": "5b435de0d786869c95d1962121af0d7df2542009", "lessThan": "3c204a0fd079fa7a867151a47d830ad1c2db5177", "status": "affected", "versionType": "git"}, {"version": "5b435de0d786869c95d1962121af0d7df2542009", "lessThan": "0f87777b74bcce29b966ec42d9aa8f9edd9b1667", "status": "affected", "versionType": "git"}, {"version": "5b435de0d786869c95d1962121af0d7df2542009", "lessThan": "4bf41c2731a0549e21f66180ff780b1e036639ab", "status": "affected", "versionType": "git"}, {"version": "5b435de0d786869c95d1962121af0d7df2542009", "lessThan": "77263f053963dea9f3962505ac0c768853d7dc59", "status": "affected", "versionType": "git"}, {"version": "5b435de0d786869c95d1962121af0d7df2542009", "lessThan": "b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa", "status": "affected", "versionType": "git"}, {"version": "5b435de0d786869c95d1962121af0d7df2542009", "lessThan": "01f1330d3d1bee07e0c42d40cc48b7be8b6dad84", "status": "affected", "versionType": "git"}, {"version": "5b435de0d786869c95d1962121af0d7df2542009", "lessThan": "12cd7632757a54ce586e36040210b1a738a0fc53", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/wireless/broadcom/brcm80211/brcmsmac/dma.c"], "versions": [{"version": "3.2", "status": "affected"}, {"version": "0", "lessThan": "3.2", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f449676bab54fea1440775c8c915dadb323fe015"}, {"url": "https://git.kernel.org/stable/c/3c204a0fd079fa7a867151a47d830ad1c2db5177"}, {"url": "https://git.kernel.org/stable/c/0f87777b74bcce29b966ec42d9aa8f9edd9b1667"}, {"url": "https://git.kernel.org/stable/c/4bf41c2731a0549e21f66180ff780b1e036639ab"}, {"url": "https://git.kernel.org/stable/c/77263f053963dea9f3962505ac0c768853d7dc59"}, {"url": "https://git.kernel.org/stable/c/b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa"}, {"url": "https://git.kernel.org/stable/c/01f1330d3d1bee07e0c42d40cc48b7be8b6dad84"}, {"url": "https://git.kernel.org/stable/c/12cd7632757a54ce586e36040210b1a738a0fc53"}], "title": "wifi: brcmsmac: Fix dma_free_coherent() size", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8136AA8-F2F0-4960-9AAF-176AC6ACEA92", "versionEndExcluding": "5.10.253", "versionStartIncluding": "3.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*", "matchCriteriaId": "2BEBAC7C-43AE-4D02-A957-26F89F27E0AC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmsmac: Fix dma_free_coherent() size\n\ndma_alloc_consistent() may change the size to align it. The new size is\nsaved in alloced.\n\nChange the free size to match the allocation size."}], "id": "CVE-2026-31661", "lastModified": "2026-04-27T20:17:46.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:45.703", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/01f1330d3d1bee07e0c42d40cc48b7be8b6dad84"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0f87777b74bcce29b966ec42d9aa8f9edd9b1667"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/12cd7632757a54ce586e36040210b1a738a0fc53"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3c204a0fd079fa7a867151a47d830ad1c2db5177"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4bf41c2731a0549e21f66180ff780b1e036639ab"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/77263f053963dea9f3962505ac0c768853d7dc59"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f449676bab54fea1440775c8c915dadb323fe015"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: wifi: brcmsmac: Fix dma_free_coherent() size", "id": "2461488", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461488"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-763", "details": ["A flaw was found in the Linux kernel's brcmsmac Wi-Fi driver. This vulnerability arises from an incorrect size used during memory deallocation (dma_free_coherent) that does not match the size allocated (dma_alloc_consistent), which may be adjusted for alignment. An attacker could potentially exploit this memory mismatch, leading to memory corruption. This could result in a denial of service or other unpredictable system behavior."], "name": "CVE-2026-31661", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31661\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31661\nhttps://lore.kernel.org/linux-cve-announce/2026042404-CVE-2026-31661-16ae@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5b435de0d786869c95d1962121af0d7df2542009,f449676bab54fea1440775c8c915dadb323fe015)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5b435de0d786869c95d1962121af0d7df2542009,3c204a0fd079fa7a867151a47d830ad1c2db5177)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5b435de0d786869c95d1962121af0d7df2542009,0f87777b74bcce29b966ec42d9aa8f9edd9b1667)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5b435de0d786869c95d1962121af0d7df2542009,4bf41c2731a0549e21f66180ff780b1e036639ab)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5b435de0d786869c95d1962121af0d7df2542009,77263f053963dea9f3962505ac0c768853d7dc59)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5b435de0d786869c95d1962121af0d7df2542009,b27fa888e4a426a3bcf6f6ab24701d888d9bf5aa)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5b435de0d786869c95d1962121af0d7df2542009,01f1330d3d1bee07e0c42d40cc48b7be8b6dad84)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[5b435de0d786869c95d1962121af0d7df2542009,12cd7632757a54ce586e36040210b1a738a0fc53)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,3.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.169,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:35:43.740229+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that incorporates the brcmsmac dma_free_coherent size fix committed in 01f1330d3d1bee07e0c42d40cc48b7be8b6dad84.", "If upgrading is not possible, disable or blacklist the brcmsmac driver to eliminate the vulnerable code path.", "Monitor the system for kernel panics, memory corruption alerts, or anomalous behavior related to Wi\u2011Fi operations that may indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "kernel memory corruption"}, "threat_synthesis": {"affected_systems": "Affected versions include the Linux kernel 3.2 and the 7.0 release candidates (rc1\u2011rc7), as listed in the CPE data. The flaw is present in any kernel configuration that builds the brcmsmac driver. Consequently, systems running any of these kernel releases with the brcmsmac driver enabled are subject to the vulnerability.", "description_and_impact": "The brcmsmac Wi\u2011Fi driver in the Linux kernel allocates DMA memory with dma_alloc_consistent(), which may round the requested size up to an alignment boundary. The original, smaller size is retained in the alloced field and used by dma_free_coherent() to free the memory. When the free size does not match the actual allocated size, the free operation can corrupt kernel memory, potentially destabilizing the system or exposing security flaws. The weakness is identified as a memory corruption issue (CWE\u2011763).", "risk_and_exploitability": "The CVSS score of 5.5 denotes a moderate severity, while the EPSS score of less than 1% indicates a very low but non\u2011zero likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Based on the driver context, the attack likely requires local access or interaction with the Wi\u2011Fi hardware; no remote exploitation vector is described in the CVE data. The mismatch in allocation and free sizes could lead to kernel crashes or other stability issues, but the description does not explicitly state escalation or denial of service outcomes, so any such impact is inferred but not confirmed by the official data."}}}}, "created": "2026-04-27T19:00:15.598961+00:00", "updated": "2026-04-28T23:45:16.049978+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}