Skip to main content

Linux Kernel CVE-2026-31525

| EUVDEUVD-2026-24916 HIGH
Out-of-bounds Write (CWE-787)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 18:07 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 18:06 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:26 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24916
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN

The BPF interpreter's signed 32-bit division and modulo handlers use the kernel abs() macro on s32 operands. The abs() macro documentation (include/linux/math.h) explicitly states the result is undefined when the input is the type minimum. When DST contains S32_MIN (0x80000000), abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged on arm64/x86. This value is then sign-extended to u64 as 0xFFFFFFFF80000000, causing do_div() to compute the wrong result.

The verifier's abstract interpretation (scalar32_min_max_sdiv) computes the mathematically correct result for range tracking, creating a verifier/interpreter mismatch that can be exploited for out-of-bounds map value access.

Introduce abs_s32() which handles S32_MIN correctly by casting to u32 before negating, avoiding signed overflow entirely. Replace all 8 abs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers.

s32 is the only affected case -- the s64 division/modulo handlers do not use abs().

AnalysisAI

Signed integer overflow in the Linux kernel's BPF interpreter enables local attackers with low privileges to achieve out-of-bounds memory access and potentially execute arbitrary code. The flaw occurs when the 32-bit signed division/modulo operations handle INT_MIN (0x80000000), causing the abs() macro to trigger undefined behavior that creates a mismatch between the verifier's abstract interpretation and the interpreter's runtime behavior. With an EPSS score of 0.02% and no confirmed active exploitation, the primary risk is to systems where unprivileged users can load BPF programs, though default kernel configurations typically restrict BPF to privileged users. Patches are available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11).

Technical ContextAI

The Berkeley Packet Filter (BPF) subsystem in the Linux kernel includes an in-kernel interpreter for executing BPF bytecode when JIT compilation is disabled or unavailable. The interpreter's signed 32-bit division (BPF_SDIV) and modulo (BPF_SMOD) operations rely on the kernel's abs() macro to compute absolute values before calling do_div(). The abs() macro explicitly documents undefined behavior when invoked on type minimum values (S32_MIN = -2147483648 = 0x80000000 in two's complement). On arm64 and x86_64 architectures, abs((s32)S32_MIN) returns S32_MIN unchanged due to signed overflow during negation. This value is then sign-extended to u64 as 0xFFFFFFFF80000000, causing do_div() to compute incorrect division/modulo results. Meanwhile, the BPF verifier's scalar32_min_max_sdiv function performs mathematically correct abstract interpretation for range tracking. This verifier/interpreter mismatch creates a scenario where the verifier approves memory access bounds that the interpreter violates at runtime, enabling exploits. The fix introduces abs_s32() which casts to u32 before negating, avoiding signed overflow entirely per two's complement arithmetic rules. The issue affects kernel versions from 6.6 onward where the vulnerable sdiv32/smod32 handlers were introduced (commit ec0e2da95f72).

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.131 or later for the 6.6 LTS branch, 6.12.80+ for 6.12 stable, 6.18.21+ for 6.18 stable, or 6.19.11+ for 6.19 stable. Mainline users should apply commit 694ea55f1b1c74f9942d91ec366ae9e822422e42 or use kernel 7.0+. Distribution users should apply vendor-provided kernel updates through normal package management (apt upgrade linux-image-* / yum update kernel / dnf upgrade kernel). Verify patch application by checking kernel git log for abs_s32() introduction or reviewing /proc/version against patched version numbers. If immediate patching is not feasible, disable unprivileged BPF program loading as a highly effective compensating control: set kernel.unprivileged_bpf_disabled=1 via sysctl (sysctl -w kernel.unprivileged_bpf_disabled=1 and persist in /etc/sysctl.d/99-bpf-hardening.conf). Note that this mitigation only protects against unprivileged exploitation; root or CAP_BPF-capable processes can still trigger the vulnerability, so it should be considered a temporary measure. Disabling unprivileged BPF may break applications that rely on it (certain observability tools, legacy packet filters), though modern tooling using BPF CO-RE typically runs privileged. Monitor audit logs for BPF syscall usage (auditctl -a always,exit -F arch=b64 -S bpf) to detect potential exploitation attempts. Full remediation requires kernel patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy