HOMEVULNERABILITIESCVE-2026-31551
MEDIUM

CVE-2026-31551

Published: April 24, 2026· Updated: Apr 27, 2026

5.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.

syzbot reported static_branch_dec() underflow in aql_enable_write(). [0]

The problem is that aql_enable_write() does not serialise concurrent

write()s to the debugfs.

aql_enable_write() checks static_key_false(&aql_disable.key) and

later calls static_branch_inc() or static_branch_dec(), but the

state may change between the two calls.

aql_disable does not need to track inc/dec.

Let's use static_branch_enable() and static_branch_disable().

[0]:

val == 0

WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288

Modules linked in:

CPU: 0 UID: 0 PID: 20288 Comm: syz.1.3155 Tainted: G U L syzkaller #0 PREEMPT(full)

Tainted: [U]=USER, [L]=SOFTLOCKUP

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026

RIP: 0010:__static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311

Code: f2 c9 ff 5b 5d c3 cc cc cc cc e8 54 f2 c9 ff 48 89 df e8 ac f9 ff ff eb ad e8 45 f2 c9 ff 90 0f 0b 90 eb a2 e8 3a f2 c9 ff 90 <0f> 0b 90 eb 97 48 89 df e8 5c 4b 33 00 e9 36 ff ff ff 0f 1f 80 00

RSP: 0018:ffffc9000b9f7c10 EFLAGS: 00010293

RAX: 0000000000000000 RBX: ffffffff9b3e5d40 RCX: ffffffff823c57b4

RDX: ffff8880285a0000 RSI: ffffffff823c5846 RDI: ffff8880285a0000

RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000000a

R13: 1ffff9200173ef88 R14: 0000000000000001 R15: ffffc9000b9f7e98

FS: 00007f530dd726c0(0000) GS:ffff8881245e3000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000200000001140 CR3: 000000007cc4a000 CR4: 00000000003526f0

Call Trace:

<TASK>

__static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]

__static_key_slow_dec kernel/jump_label.c:321 [inline]

static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336

aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343

short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383

vfs_write+0x2aa/0x1070 fs/read_write.c:684

ksys_pwrite64 fs/read_write.c:793 [inline]

__do_sys_pwrite64 fs/read_write.c:801 [inline]

__se_sys_pwrite64 fs/read_write.c:798 [inline]

__x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f530cf9aeb9

Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f530dd72028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012

RAX: ffffffffffffffda RBX: 00007f530d215fa0 RCX: 00007f530cf9aeb9

RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000010

RBP: 00007f530d008c1f R08: 0000000000000000 R09: 0000000000000000

R10: 4200000000000005 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f530d216038 R14: 00007f530d215fa0 R15: 00007ffde89fb978

</TASK>

NVD Source

Technical Analysis

CVE-2026-31551 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (7)

Quick Facts

CVE IDCVE-2026-31551
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31551 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.