Wind River Support Network

HomeDefectsLIN1023-23482
Fixed

LIN1023-23482 : Security Advisory - linux - CVE-2026-31695

Created: May 12, 2026    Updated: May 14, 2026
Resolved Date: May 12, 2026
Found In Version: 10.23.30.2
Fix Version: 10.23.30.21
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:  wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free  Currently we execute `SET_NETDEV_DEV(dev, &priv->lowerdev->dev)` for the virt_wifi net devices. However, unregistering a virt_wifi device in netdev_run_todo() can happen together with the device referenced by SET_NETDEV_DEV().  It can result in use-after-free during the ethtool operations performed on a virt_wifi device that is currently being unregistered. Such a net device can have the `dev.parent` field pointing to the freed memory, but ethnl_ops_begin() calls `pm_runtime_get_sync(dev->dev.parent)`.  Let's remove SET_NETDEV_DEV for virt_wifi to avoid bugs like this:   ==================================================================  BUG: KASAN: slab-use-after-free in __pm_runtime_resume+0xe2/0xf0  Read of size 2 at addr ffff88810cfc46f8 by task pm/606   Call Trace:   <TASK>   dump_stack_lvl+0x4d/0x70   print_report+0x170/0x4f3   ? __pfx__raw_spin_lock_irqsave+0x10/0x10   kasan_report+0xda/0x110   ? __pm_runtime_resume+0xe2/0xf0   ? __pm_runtime_resume+0xe2/0xf0   __pm_runtime_resume+0xe2/0xf0   ethnl_ops_begin+0x49/0x270   ethnl_set_features+0x23c/0xab0   ? __pfx_ethnl_set_features+0x10/0x10   ? kvm_sched_clock_read+0x11/0x20   ? local_clock_noinstr+0xf/0xf0   ? local_clock+0x10/0x30   ? kasan_save_track+0x25/0x60   ? __kasan_kmalloc+0x7f/0x90   ? genl_family_rcv_msg_attrs_parse.isra.0+0x150/0x2c0   genl_family_rcv_msg_doit+0x1e7/0x2c0   ? __pfx_genl_family_rcv_msg_doit+0x10/0x10   ? __pfx_cred_has_capability.isra.0+0x10/0x10   ? stack_trace_save+0x8e/0xc0   genl_rcv_msg+0x411/0x660   ? __pfx_genl_rcv_msg+0x10/0x10   ? __pfx_ethnl_set_features+0x10/0x10   netlink_rcv_skb+0x121/0x380   ? __pfx_genl_rcv_msg+0x10/0x10   ? __pfx_netlink_rcv_skb+0x10/0x10   ? __pfx_down_read+0x10/0x10   genl_rcv+0x23/0x30   netlink_unicast+0x60f/0x830   ? __pfx_netlink_unicast+0x10/0x10   ? __pfx___alloc_skb+0x10/0x10   netlink_sendmsg+0x6ea/0xbc0   ? __pfx_netlink_sendmsg+0x10/0x10   ? __futex_queue+0x10b/0x1f0   ____sys_sendmsg+0x7a2/0x950   ? copy_msghdr_from_user+0x26b/0x430   ? __pfx_____sys_sendmsg+0x10/0x10   ? __pfx_copy_msghdr_from_user+0x10/0x10   ___sys_sendmsg+0xf8/0x180   ? __pfx____sys_sendmsg+0x10/0x10   ? __pfx_futex_wait+0x10/0x10   ? fdget+0x2e4/0x4a0   __sys_sendmsg+0x11f/0x1c0   ? __pfx___sys_sendmsg+0x10/0x10   do_syscall_64+0xe2/0x570   ? exc_page_fault+0x66/0xb0   entry_SYSCALL_64_after_hwframe+0x77/0x7f   </TASK>  This fix may be combined with another one in the ethtool subsystem: https://lore.kernel.org/all/20260322075917.254874-1-alex.popov@linux.com/T/#u

CVEs

  • Linkedin
  • Facebook
  • Twitter
  • Youtube