Skip to main content

Linux Kernel CVE-2026-31742

| EUVDEUVD-2026-26555 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:28 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:02 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26555
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

vt: discard stale unicode buffer on alt screen exit after resize

When enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and sets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize() skips reallocating the unicode buffer because vc_uni_lines is NULL. However, vc_saved_uni_lines still points to the old buffer allocated for the original dimensions.

When leave_alt_screen() later restores vc_saved_uni_lines, the buffer dimensions no longer match vc_rows/vc_cols. Any operation that iterates over the unicode buffer using the current dimensions (e.g. csi_J clearing the screen) will access memory out of bounds, causing a kernel oops:

BUG: unable to handle page fault for address: 0x0000002000000020 RIP: 0010:csi_J+0x133/0x2d0

The faulting address 0x0000002000000020 is two adjacent u32 space characters (0x20) interpreted as a pointer, read from the row data area past the end of the 25-entry pointer array in a buffer allocated for 80x25 but accessed with 240x67 dimensions.

Fix this by checking whether the console dimensions changed while in the alternate screen. If they did, free the stale saved buffer instead of restoring it. The unicode screen will be lazily rebuilt via vc_uniscr_check() when next needed.

AnalysisAI

Memory corruption in the Linux kernel virtual terminal (vt) subsystem allows local authenticated users to trigger kernel crashes and potentially escalate privileges. When a console switches to an alternate screen and then gets resized, the saved Unicode buffer retains stale dimensions. Upon returning to the primary screen, operations like screen clearing (csi_J) access memory out of bounds using current dimensions against the old buffer, causing kernel oops. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, but vendor patches are available across multiple stable kernel branches (5.x, 6.18.x, 6.19.x).

Technical ContextAI

This vulnerability affects the Linux kernel's virtual terminal (vt) subsystem, specifically the Unicode screen buffer management during alternate screen operations. The vt driver maintains vc_uni_lines for the Unicode representation of console content. When enter_alt_screen() is called, it saves vc_uni_lines to vc_saved_uni_lines and nullifies vc_uni_lines. If vc_do_resize() executes while in alternate screen mode, it skips reallocating the Unicode buffer because vc_uni_lines is NULL, leaving vc_saved_uni_lines pointing to a buffer sized for the original console dimensions. When leave_alt_screen() restores vc_saved_uni_lines, the buffer dimensions become mismatched with current vc_rows/vc_cols values. Subsequent console operations that iterate using current dimensions (like CSI J control sequences for screen clearing) perform out-of-bounds memory access. The crash signature shows a faulting address of 0x0000002000000020 - two consecutive u32 space characters (0x20) misinterpreted as a pointer, indicating the code read beyond a 25-entry pointer array in an 80x25 buffer when accessing with 240x67 dimensions. This is a classic use-after-free/buffer dimension mismatch bug in kernel memory management.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.22 or later for the 6.18 stable series, 6.19.12 or later for the 6.19 stable series, or apply upstream commits 891d790fdb5c96c6e1d2841e06ee6c360f2d1288 (mainline), 428fdf55301e6c8fa5a36b426240797b1cf86570, or 40014493cece72a0be5672cd86763e53fb3ec613 depending on your kernel branch. Distribution-specific packages should be obtained from your vendor's security advisory channels. Patch URLs: https://git.kernel.org/stable/c/891d790fdb5c96c6e1d2841e06ee6c360f2d1288 (mainline fix), https://git.kernel.org/stable/c/428fdf55301e6c8fa5a36b426240797b1cf86570, and https://git.kernel.org/stable/c/40014493cece72a0be5672cd86763e53fb3ec613. If immediate patching is not feasible, consider compensating controls: restrict local console access to trusted administrators only via PAM configuration or SELinux/AppArmor policies, disable virtual terminal allocation for untrusted users (via systemd LoginConfiguration or pam_systemd settings), and monitor kernel logs for oops messages indicating exploitation attempts. Note that disabling vt functionality may impact systems requiring console access for recovery or maintenance, requiring serial console alternatives. These mitigations reduce attack surface but do not eliminate the vulnerability - prioritize patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy