Skip to main content

Linux Kernel EUVDEUVD-2026-24921

| CVE-2026-31528 HIGH
Out-of-bounds Read (CWE-125)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-37p2-prpf-4qx7
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 18:07 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 18:00 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:26 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24921
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

perf: Make sure to use pmu_ctx->pmu for groups

Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access when group_sched_in() fails and needs to roll back.

This *should* be handled by the transaction callbacks, but he found that when the group leader is a software event, the transaction handlers of the wrong PMU are used. Despite the move_group case in perf_event_open() and group_sched_in() using pmu_ctx->pmu.

Turns out, inherit uses event->pmu to clone the events, effectively undoing the move_group case for all inherited contexts. Fix this by also making inherit use pmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context.

Similarly, __perf_event_read() should use equally use pmu_ctx->pmu for the group case.

AnalysisAI

Out-of-bounds memory access in Linux kernel perf subsystem allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact. The vulnerability occurs when group_sched_in() fails during performance monitoring event handling and event inheritance uses the wrong PMU (Performance Monitoring Unit) context, leading to improper rollback and memory corruption. Despite high CVSS score (7.8), EPSS probability indicates very low real-world exploitation likelihood (0.02%, 5th percentile). Vendor patches available across multiple stable kernel branches (6.6.131, 6.12.80, 6.18.21, 6.19.11, 7.0) per git.kernel.org commit references.

Technical ContextAI

The Linux kernel perf subsystem manages hardware performance counters through PMU contexts (pmu_ctx). When creating event groups with mixed software and hardware events, perf_event_open() uses move_group logic to ensure events share the same PMU context via pmu_ctx->pmu. However, the event inheritance code path incorrectly referenced event->pmu instead of pmu_ctx->pmu when cloning events to child processes or threads. This discrepancy causes inherited events to land in different PMU contexts than their parents, violating the move_group invariant. When group_sched_in() subsequently fails and attempts rollback via x86_pmu_del(), the mismatch triggers out-of-bounds memory access because transaction callbacks operate on the wrong PMU structure. The bug affects both event inheritance and the __perf_event_read() path for grouped performance counter reads. The fix ensures pmu_ctx->pmu consistency across inheritance and read operations, maintaining proper PMU context boundaries.

RemediationAI

Upgrade to patched kernel versions: 6.6.131+ for 6.6.x series, 6.12.80+ for 6.12.x series, 6.18.21+ for 6.18.x series, 6.19.11+ for 6.19.x series, or 7.0+ for mainline. Upstream fixes available in git.kernel.org commits 35f7914e54fe7f13654c22ee045b05e4b6d8062b (reference https://git.kernel.org/stable/c/35f7914e54fe7f13654c22ee045b05e4b6d8062b) and related stable branch commits. For distributions, consult vendor security advisories for backported fixes rather than applying upstream patches directly - RHEL, Ubuntu, SUSE, Debian typically backport to supported kernel versions. If immediate patching is not feasible, restrict access to perf subsystem by setting /proc/sys/kernel/perf_event_paranoid to 3 (most restrictive, blocks all unprivileged access) or 2 (requires CAP_PERFMON or ownership), reducing attack surface to only privileged monitoring tools. Note this mitigation breaks legitimate performance profiling for unprivileged users and may impact APM agents, so assess impact on monitoring workflows before implementing. No reboot-avoidance options exist for kernel vulnerabilities - plan maintenance window for kernel update and system restart.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24921 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy