Skip to main content

Linux Kernel CVE-2026-31413

| EUVDEUVD-2026-21717 HIGH
Out-of-bounds Read (CWE-125)
2026-04-12 Linux GHSA-q7pg-xjgf-wr6f
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Generated
Apr 27, 2026 - 14:23 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 12, 2026 - 14:30 nvd
Patch available
EUVD ID Assigned
Apr 12, 2026 - 06:15 euvd
EUVD-2026-21717
Analysis Generated
Apr 12, 2026 - 06:15 vuln.today
CVE Published
Apr 12, 2026 - 05:36 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR

maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1.

For BPF_AND this is correct: 0 & K 0. For BPF_OR this is wrong: 0 | K K, not 0.

The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access.

Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.

AnalysisAI

A logic error in the Linux kernel's BPF (Berkeley Packet Filter) verifier allows local attackers with low privileges to exploit verifier/runtime divergence and achieve out-of-bounds map access, enabling arbitrary memory read/write and privilege escalation. The flaw affects the maybe_fork_scalars() function which incorrectly handles BPF_OR operations during state forking, tracking destination register as 0 when the runtime value is K (the constant operand). Patches are available from kernel.org for versions 6.12.80, 6.18.21, 6.19.11, and 7.0-rc5. EPSS score is extremely low (0.01%) and no public exploit or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability resides in the Linux kernel's extended Berkeley Packet Filter (eBPF) verifier subsystem, specifically in the maybe_fork_scalars() function responsible for scalar value tracking during static program analysis. The verifier performs abstract interpretation to prove BPF programs are safe before execution. When analyzing bitwise operations (BPF_AND, BPF_OR) with constant operands, the verifier forks execution paths to track different register values. The bug occurs when a destination register has signed range [-1, 0]: the verifier pushes a new path with dst=0 and continues the current path with dst=-1. For BPF_AND this is mathematically sound (0 & K = 0), but for BPF_OR it creates incorrect state (0 | K = K, not 0). This verifier/runtime mismatch violates the fundamental safety guarantee of eBPF: the verifier believes a register contains 0 when runtime holds K, allowing bounds checks to pass in the verifier while runtime accesses out-of-bounds memory regions. This is a classic example of abstract interpretation soundness failure, where imprecise modeling of concrete semantics creates exploitable divergence. The CPE strings indicate broad applicability across Linux kernel versions that include the eBPF verifier.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.80 or later for 6.12.x series, 6.18.21 or later for 6.18.x series, 6.19.11 or later for 6.19.x series, or 7.0-rc5 and later for development branch. The upstream fix is implemented in commits d13281ae7ea8902b21d99d10a2c8caf0bdec0455 (mainline), 342aa1ee995ef5bbf876096dc3a5e51218d76fa4, 58bd87d0e69204dbd739e4387a1edb0c4b1644e7, and c845894ebd6fb43226b3118d6b017942550910c5 (stable branches), available at https://git.kernel.org/stable/. The fix modifies maybe_fork_scalars() to pass env->insn_idx instead of env->insn_idx + 1 to push_stack(), forcing the pushed verifier path to re-execute the ALU instruction with the forked register state and naturally compute the correct result. For systems unable to immediately patch, disable unprivileged BPF program loading via sysctl kernel.unprivileged_bpf_disabled=1 (prevents non-root users from loading BPF programs, eliminating local attack vector but breaks legitimate unprivileged BPF use cases like unprivileged container monitoring). Alternatively, disable BPF entirely if not required via kernel boot parameter bpf.jit_enable=0 or CONFIG_BPF_SYSCALL=n at compile time (breaks all BPF-dependent functionality including networking filters, tracing, and security monitoring tools). Restrict local user access and monitor for suspicious BPF syscall activity via audit rules.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy