Skip to main content

Linux Kernel CVE-2026-31526

| EUVDEUVD-2026-24917 MEDIUM
Improper Locking (CWE-667)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 18:07 vuln.today
CVSS changed
Apr 28, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 18:04 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24917
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix exception exit lock checking for subprogs

process_bpf_exit_full() passes check_lock = !curframe to check_resource_leak(), which is false in cases when bpf_throw() is called from a static subprog. This makes check_resource_leak() to skip validation of active_rcu_locks, active_preempt_locks, and active_irq_id on exception exits from subprogs.

At runtime bpf_throw() unwinds the stack via ORC without releasing any user-acquired locks, which may cause various issues as the result.

Fix by setting check_lock = true for exception exits regardless of curframe, since exceptions bypass all intermediate frame cleanup. Update the error message prefix to "bpf_throw" for exception exits to distinguish them from normal BPF_EXIT.

Fix reject_subprog_with_rcu_read_lock test which was previously passing for the wrong reason. Test program returned directly from the subprog call without closing the RCU section, so the error was triggered by the unclosed RCU lock on normal exit, not by bpf_throw. Update __msg annotations for affected tests to match the new "bpf_throw" error prefix.

The spin_lock case is not affected because they are already checked [1] at the call site in do_check_insn() before bpf_throw can run.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098

AnalysisAI

The Linux kernel BPF verifier fails to validate lock release on exception exits from static subprograms when bpf_throw() is invoked, potentially allowing denial of service or system instability through uncontrolled RCU and preemption lock retention. Affected versions span from 6.7 through 7.0-rc4; CVSS 5.5 (local privilege escalation path) but EPSS 0.02% suggests low real-world exploitation probability. Patch available in stable releases 6.18.21, 6.19.11, and 7.0.

Technical ContextAI

The vulnerability resides in the BPF verifier's exception handling logic, specifically the process_bpf_exit_full() function which invokes check_resource_leak(). The verifier failed to properly validate lock state when bpf_throw() (the BPF exception mechanism) unwinds the stack via ORC (Out-of-line Call Stack Register) unwinding in static subprograms. The root cause (CWE-667: Improper Locking) stems from conditional lock checking that passes check_lock = !curframe, which evaluates to false when exceptions are thrown from nested subprogram frames. This allows active_rcu_locks, active_preempt_locks, and active_irq_id to bypass validation. At runtime, bpf_throw() performs stack unwinding without invoking the normal frame cleanup routines that would release user-acquired locks, creating a state where locks remain held in kernel context after the throw exception exits the BPF program.

RemediationAI

Upgrade to patched kernel versions: Linux 6.18.21 or later, 6.19.11 or later, or 7.0 stable and later. The fix is available in stable kernel repositories at https://git.kernel.org/stable/c/5a399f3117642494e35545f6ca397d3e177c1f9b (6.7 branch), https://git.kernel.org/stable/c/6c2128505f61b504c79a20b89596feba61388112 (6.8-6.11 branches), and https://git.kernel.org/stable/c/c0281da1f2aa5c2fca3a05f79b86bea96591c358 (6.12+ branches). For systems unable to upgrade immediately, disable unprivileged BPF by setting kernel.unprivileged_bpf_disabled=1 via sysctl, which prevents local users without CAP_BPF from loading arbitrary BPF programs. This eliminates the attack surface entirely but may impact legitimate BPF tooling (bcc, libbpf-based tools) unless run with elevated privileges. Alternatively, restrict BPF program loading to root via SELinux or AppArmor policies, though this is less granular than the kernel setting.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy