Skip to main content

Linux Kernel CVE-2026-31690

| EUVDEUVD-2026-25887 HIGH
Out-of-bounds Write (CWE-787)
2026-04-27 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 06, 2026 - 21:00 vuln.today
CVSS changed
May 06, 2026 - 18:37 NVD
7.8 (HIGH)
Patch available
Apr 27, 2026 - 19:01 EUVD
Patch released
Apr 27, 2026 - 18:32 nvd
Patch available
EUVD ID Assigned
Apr 27, 2026 - 18:00 euvd
EUVD-2026-25887
CVE Published
Apr 27, 2026 - 17:34 nvd
N/A
CVE Published
Apr 27, 2026 - 17:34 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

firmware: thead: Fix buffer overflow and use standard endian macros

Addresses two issues in the TH1520 AON firmware protocol driver:

  1. Fix a potential buffer overflow where the code used unsafe pointer

arithmetic to access the 'mode' field through the 'resource' pointer with an offset. This was flagged by Smatch static checker as: "buffer overflow 'data' 2 <= 3"

  1. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard

kernel endianness conversion macros (cpu_to_be16, etc.) for better portability and maintainability.

The functionality was re-tested with the GPU power-up sequence, confirming the GPU powers up correctly and the driver probes successfully.

[ 12.702370] powervr ffef400000.gpu: [drm] loaded firmware powervr/rogue_36.52.104.182_v1.fw [ 12.711043] powervr ffef400000.gpu: [drm] FW version v1.0 (build 6645434 OS) [ 12.719787] [drm] Initialized powervr 1.0.0 for ffef400000.gpu on minor 0

AnalysisAI

Buffer overflow in TH1520 AON firmware protocol driver allows local authenticated attackers with low privileges to execute arbitrary code and gain elevated system access. The vulnerability stems from unsafe pointer arithmetic when accessing the 'mode' field through the 'resource' pointer with unchecked offsets in the T-HEAD firmware driver. Patches available across stable kernel branches (6.18.23, 6.19.13, 7.0) with low EPSS score (0.02%) indicating minimal observed exploitation attempts, though CVSS 7.8 reflects high impact if exploited on affected T-HEAD TH1520 systems.

Technical ContextAI

The vulnerability exists in the Linux kernel's firmware subsystem, specifically in the T-HEAD TH1520 Always-On (AON) firmware protocol driver used for power management communication between the kernel and TH1520 SoC firmware. The TH1520 is a RISC-V processor from T-HEAD (Alibaba's chip division) used in embedded and edge computing systems. The flaw involves CWE-787 (Out-of-bounds Write) where pointer arithmetic bypasses buffer bounds checking when accessing structure fields. The vulnerable code performed calculations like 'resource + offset' to access the 'mode' field without validating that the resulting pointer remained within the allocated 'data' buffer boundaries. Smatch static analysis identified this as a 2-byte buffer with potential 3-byte access. The secondary issue involved non-portable custom endianness conversion macros (RPC_SET_BE*/RPC_GET_BE*) instead of kernel-standard helpers, potentially causing data corruption on different architectures. The driver interfaces with GPU power sequencing, as evidenced by the PowerVR GPU firmware loading in the patch validation testing.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.23 or later in the 6.18.x series, 6.19.13 or later in the 6.19.x series, or 7.0 and above for mainline. Apply the appropriate stable kernel patch from https://git.kernel.org/stable/c/fbdb43f6bb2a15ed382d6eb0ef82c8b07b0d47bb (6.18.x branch), https://git.kernel.org/stable/c/bd15a5deb5a7251dc1a0cf9186f0253f7eacdb97 (6.19.x branch), or https://git.kernel.org/stable/c/88c4bd90725557796c15878b7cb70066e9e6b5ab (mainline). The patches replace unsafe pointer arithmetic with bounds-checked access and standardize endianness macros. If immediate patching is not feasible for TH1520-based systems, disable or blacklist the thead_aon_firmware module if GPU power management functionality can be sacrificed, though this will prevent PowerVR GPU operation and may impact system functionality. Restrict local user access and implement principle of least privilege to limit the pool of users who could exploit this locally. Monitor for unexpected kernel module loading or privilege escalation attempts. Note that disabling the driver trades GPU functionality for security and may not be acceptable in production embedded systems requiring graphics capabilities.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy