HIGH
wifi wilc1000 SSID Overflow
CVE-2026-31780
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation The variable valuesize is declared as u8 but accumulates the total length of all SSIDs to scan. Each SSID contributes up to 33 bytes (IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10) SSIDs the total can reach 330, which wraps around to 74 when stored in a u8. This causes kmalloc to allocate only 75 bytes while the subsequent memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte heap buffer overflow. Widen valuesize from u8 to u32 to accommodate the full range.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger a heap buffer overflow in the wilc1000 WiFi driver during SSID scanning operations. This can lead to kernel memory corruption, privilege escalation, or system crashes on devices using wilc1000 WiFi hardware.
Vulnerability analysis
The root cause is an integer overflow in the valuesize variable (u8) that accumulates SSID lengths during WiFi scanning. With 10 SSIDs of maximum length (33 bytes each), the total reaches 330 bytes, which wraps to 74 when stored in u8. This causes kmalloc to allocate only 75 bytes while memcpy writes up to 331 bytes, creating a 256-byte heap overflow. The fix changes valuesize from u8 to u32 to prevent the overflow. Attack surface is local-only, requiring access to WiFi scanning functionality, typically available to low-privileged users through standard WiFi management interfaces.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 34a23fd9ddd6 |
| 5.15 | 5.15.203 | 549f02d8ec94 |
| 6.1 | 6.1.168 | bfbddeadd477 |
| 6.12 | 6.12.81 | c97b2a000596 |
| 6.18 | 6.18.22 | d8388614de61 |
| 6.19 | 6.19.12 | 0c7f21d8bd2f |
| 6.6 | 6.6.134 | 9907ac9b9a18 |
| mainline | 7.0 | d049e56b1739 |