CVE-2026-31521

MEDIUM EPSS 2.4%
Published Apr 22, 20262mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 22, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.131
linuxlinux_kernel*≥6.7  –  <6.12.80
linuxlinux_kernel*≥6.13  –  <6.18.21
linuxlinux_kernel*≥6.19  –  <6.19.11
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/082f15d2887329e0f43fd3727e69365f5bfe5d2c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4bbdb0e48176fd281c2b9a211b110db6fd94e175
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5d16f519b6eb1d071807e57efe0df2baa8d32ad6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6ba6957c640f58dc8ef046981a045da43e47ea23
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec2b22a58073f80739013588af448ff6e2ab906f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef75dc1401d8e797ee51559a0dd0336c225e1776
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f9d69d5e7bde2295eb7488a56f094ac8f5383b92
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/082f15d2887329e0f43fd3727e69365f5bfe5d2c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4bbdb0e48176fd281c2b9a211b110db6fd94e175
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5d16f519b6eb1d071807e57efe0df2baa8d32ad6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6ba6957c640f58dc8ef046981a045da43e47ea23
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec2b22a58073f80739013588af448ff6e2ab906f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef75dc1401d8e797ee51559a0dd0336c225e1776
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f9d69d5e7bde2295eb7488a56f094ac8f5383b92
    Patch