CVE-2026-31413

HIGH EPSS 12.6%
Published Apr 12, 20262mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 12, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
12.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 3

VendorProductVersionRange
linuxlinux_kernel*≥6.12.75  –  <6.12.80
linuxlinux_kernel*≥6.18.16  –  <6.18.21
linuxlinux_kernel*≥6.19.6  –  <6.19.11

References 4

  • git.kernel.org https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455
    Patch