HIGH Published 2026-05-01

iwlwifi ScanMatch OOB

CVE-2026-31779

CVSS 8.1 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

KernelScan AI8.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler() The memcpy function assumes the dynamic array notif->matches is at least as large as the number of bytes to copy. Otherwise, results->matches may contain unwanted data. To guarantee safety, extend the validation in one of the checks to ensure sufficient packet length. Found by Linux Verification Center (linuxtesting.org) with SVACE.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

An attacker who can influence WiFi firmware behavior or trigger scan operations could cause the kernel to read beyond allocated memory boundaries, potentially leading to information disclosure or system instability. The impact is limited by the need for specific Intel wireless hardware and the ability to trigger scan operations.

Affecteddrivers/net/wireless/intel/iwlwifi/mvm/d3.c

Vulnerability analysis

Root Cause: The iwl_mvm_nd_match_info_handler() function performs insufficient length validation before copying data from a firmware notification. The original code only validates that the packet is at least as large as the base struct iwl_scan_offload_match_info, but does not verify there is sufficient space for the variable-length matches array that follows. This allows memcpy to read beyond the allocated buffer boundaries when copying notif->matches data.

Attack Surface: This vulnerability affects systems with Intel iwlwifi wireless hardware during WiFi scan operations. The attack surface is limited to scenarios where the wireless firmware can send malformed scan match notifications with insufficient data length. This typically requires local access to trigger WiFi scanning operations, though the malformed data originates from firmware rather than direct user input.

Fix Mechanism: The patch extends the length validation check to include the size of the matches array (matches_len) in addition to the base structure size. The validation now ensures: len >= sizeof(struct iwl_scan_offload_match_info) + matches_len, guaranteeing sufficient packet length before the memcpy operation proceeds.

03Fix Versions

Branch	Fixed in	Patch commit
6.1	6.1.168	`f6abac936a0d`
6.12	6.12.81	`e67d8c626ace`
6.18	6.18.22	`dd90880eb5ec`
6.19	6.19.12	`ca0e9491b98c`
6.6	6.6.134	`ffbed27ba15e`
mainline	7.0	`744fabc338e8`