Skip to main content

Linux Kernel CVE-2026-31786

| EUVDEUVD-2026-26364 HIGH
Out-of-bounds Write (CWE-787)
2026-04-30 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
May 04, 2026 - 09:16 nvd
Patch available
Analysis Generated
May 03, 2026 - 09:31 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch available
Apr 30, 2026 - 12:01 EUVD
EUVD ID Assigned
Apr 30, 2026 - 11:15 euvd
EUVD-2026-26364
Analysis Generated
Apr 30, 2026 - 11:15 vuln.today
CVE Published
Apr 30, 2026 - 10:31 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

Buffer overflow in drivers/xen/sys-hypervisor.c

The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string.

The first causes a buffer overflow as sprintf in buildid_show will read and copy till it finds a NUL.

00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| 00000017

So use a memcpy instead of sprintf to have the correct value:

00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| 00000010 b9 a8 01 42 |...B| 00000014

(the above have a hack to embed a zero inside and check it's returned correctly).

This is XSA-485 / CVE-2026-31786

AnalysisAI

Buffer overflow in Linux kernel Xen hypervisor interface allows local authenticated users to achieve arbitrary code execution with high privilege escalation impact. The vulnerability stems from improper handling of non-NUL-terminated build ID data from HYPERVISOR_xen_version(XENVER_build_id) in drivers/xen/sys-hypervisor.c, where sprintf reads past buffer boundaries seeking a NUL terminator. Affects Linux kernel versions from 5.10 through 7.0 series when running as Xen domain. Vendor-released patches available across all affected stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, 7.0.3). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation despite high CVSS 7.8, reflecting specialized Xen-only attack surface. No public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the Linux kernel's Xen paravirtualization interface layer, specifically the sysfs exposure of hypervisor metadata in drivers/xen/sys-hypervisor.c. The buildid_show() function uses sprintf() to copy build ID data returned by the Xen hypercall HYPERVISOR_xen_version(XENVER_build_id). The Xen hypervisor interface specification does not guarantee NUL-terminated string returns for build IDs - the data is opaque binary content. Using sprintf() on non-NUL-terminated data causes the C library function to continue reading memory sequentially until encountering a NUL byte, potentially copying arbitrary kernel memory beyond the intended buffer into userspace-accessible sysfs output or corrupting adjacent kernel structures. The fix replaces sprintf() with memcpy() to handle exactly the returned length without assuming string semantics. This is a classic boundary violation resulting from mismatched assumptions between data producer (Xen hypervisor) and consumer (Linux kernel driver). The vulnerability only manifests in Linux systems running as Xen guest domains (DomU) or Dom0, not on bare-metal or KVM/VMware virtualization platforms.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.254+ for 5.10.x series, 5.15.204+ for 5.15.x, 6.1.170+ for 6.1.x, 6.6.137+ for 6.6.x, 6.12.85+ for 6.12.x, 6.18.26+ for 6.18.x, or 7.0.3+ for 7.0.x. Mainline kernel users should apply commit e3af585e1728c917682b6a3de9a69b41fb9194d4. Distribution-specific updates: monitor RHEL, Ubuntu, SUSE, Debian security advisories for backported fixes integrated into vendor kernel packages. References available at https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4 and related commit links. Compensating controls if immediate patching is infeasible: restrict local shell access to Xen guest VMs to trusted administrators only, remove untrusted user accounts from Xen DomU systems, or migrate workloads from Xen to KVM/bare-metal platforms where Xen drivers are not loaded (eliminates vulnerable code path entirely). Note that disabling CONFIG_XEN_SYSFS during kernel recompilation prevents buildid_show exposure but may break Xen management tooling expecting /sys/hypervisor attributes. No runtime sysctl or module parameter exists to disable the vulnerable function without kernel rebuild. Side effects of migration: Xen-specific features (e.g., PV drivers, memory ballooning) unavailable on alternative hypervisors.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

CVE-2026-31786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy