Skip to main content

Linux Kernel CVE-2026-31521

| EUVDEUVD-2026-24907 MEDIUM
Out-of-bounds Write (CWE-787)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h7p4-fpxw-m265
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 18:37 vuln.today
CVSS changed
Apr 28, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 18:26 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24907
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

module: Fix kernel panic when a symbol st_shndx is out of bounds

The module loader doesn't check for bounds of the ELF section index in simplify_symbols():

for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name;

switch (sym[i].st_shndx) { case SHN_COMMON:

[...]

default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else / HERE --> / secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } }

A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:

BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception

This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted.

Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it.

This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1].

[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/

AnalysisAI

Linux kernel module loader fails to validate ELF section index bounds in simplify_symbols(), causing kernel panic when processing modules with out-of-bounds st_shndx values such as SHN_XINDEX (0xffff). Local privileged attackers can crash the system by loading malformed or legitimately-crafted modules that exploit this missing bounds check, resulting in denial of service. The vulnerability affects all stable kernel versions from 2.6.12 through current releases; patches are available across multiple stable branches (5.15.203+, 6.1.168+, 6.6.131+, 6.12.80+, 6.18.21+, 6.19.11+, 7.0+).

Technical ContextAI

The vulnerability exists in the kernel's ELF module loading code, specifically in the simplify_symbols() function which processes symbol table entries (Elf_Sym structures) during module initialization. The function iterates through symbols and accesses the sechdrs (section headers) array using the st_shndx field as a direct array index without validating that the index falls within the bounds of the sechdrs array. When st_shndx contains special ELF reserve values like SHN_XINDEX (0xffff) or SHN_HIRESERVE, or when ELF files are corrupted/malformed, the unchecked array access triggers an out-of-bounds memory reference. This is a classic CWE-787 (Out-of-bounds Write) scenario manifesting as a read from invalid kernel memory. The vulnerability is compounded by llvm-objcopy generating incorrect ELF metadata in some cases, as documented in the kernel mailing list discussion.

RemediationAI

Apply vendor-released patches corresponding to your kernel stable series: Linux 5.15.203 or later, 6.1.168 or later, 6.6.131 or later, 6.12.80 or later, 6.18.21 or later, 6.19.11 or later, or 7.0 or later. The upstream fix (referenced via git commits 082f15d2887329e0f43fd3727e69365f5bfe5d2c and others in the kernel stable tree) adds explicit bounds checking of st_shndx values in simplify_symbols() before array indexing. For distributions, update to kernel versions that include the fix; consult your distribution's security advisories for specific package versions. If immediate patching is not feasible, restrict module loading privileges via module.sig_enforce enforcement, disable dynamic module loading entirely (set modules.enabled=0 in bootloader if modules are not required), or use SELinux/AppArmor policies to prevent unprivileged users from loading kernel modules. Each mitigation carries trade-offs: disabling dynamic modules reduces flexibility but improves security posture; signature enforcement requires kernel built with CONFIG_MODULE_SIG and proper key management.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy