Skip to main content

Linux Kernel EUVDEUVD-2026-26595

| CVE-2026-31782 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 03, 2026 - 07:32 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26595
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

perf/x86: Fix potential bad container_of in intel_pmu_hw_config

Auto counter reload may have a group of events with software events present within it. The software event PMU isn't the x86_hybrid_pmu and a container_of operation in intel_pmu_set_acr_caused_constr (via the hybrid helper) could cause out of bound memory reads. Avoid this by guarding the call to intel_pmu_set_acr_caused_constr with an is_x86_event check.

AnalysisAI

Out-of-bounds memory read in Linux kernel's Intel PMU (Performance Monitoring Unit) handling allows local authenticated attackers with low privileges to potentially access sensitive kernel memory, modify data, or cause system crashes. The flaw occurs when perf auto counter reload groups contain software events, triggering an unsafe container_of operation that can dereference memory outside valid bounds. EPSS exploitation probability is very low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis. Patches available for kernel versions 6.18.22, 6.19.12, and 7.0.

Technical ContextAI

This vulnerability affects the x86 Performance Monitoring Unit (PMU) subsystem within the Linux kernel perf framework. The perf subsystem allows hardware performance counter monitoring, and auto counter reload (ACR) is a feature that automatically resets counters. The flaw lies in intel_pmu_hw_config function's handling of hybrid PMU architectures (Intel's performance/efficiency core designs). When a perf event group containing software events (not tied to x86_hybrid_pmu) is processed, the code performs a container_of macro operation without validating the PMU type. The container_of macro calculates a structure's base address from a member pointer using pointer arithmetic - if the actual structure isn't x86_hybrid_pmu, this calculation yields an arbitrary memory address, leading to out-of-bounds reads when intel_pmu_set_acr_caused_constr accesses what it believes are valid structure members. The fix adds an is_x86_event check before the container_of operation to ensure type safety.

RemediationAI

Upgrade to patched Linux kernel versions 6.18.22, 6.19.12, 7.0 or later, depending on your stable branch. Patches are available from the mainline stable kernel repository at https://git.kernel.org/stable/c/e435a30ca6fe14c9611b1fc731c98a6d28410247 (primary fix), https://git.kernel.org/stable/c/bfee04838f636d064bc92075c65c95f739003804, and https://git.kernel.org/stable/c/dbde07f06226438cd2cf1179745fa1bec5d8914a (backports). For systems unable to immediately patch, disable perf auto counter reload functionality via kernel boot parameters or runtime sysctl settings (perf_event_paranoid=3 prevents unprivileged perf access entirely, though this impacts legitimate monitoring). Alternatively, restrict access to perf_event_open syscall using SELinux/AppArmor policies or seccomp filters to prevent low-privilege users from creating perf event groups - this breaks some performance monitoring tools but eliminates the attack vector. Note that disabling perf entirely may impact system observability and troubleshooting capabilities in production environments.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy