CVE-2026-31413
Out-of-Bounds Access in Linux Kernel BPF Verifier Due to Forking Bug
Publication date: 2026-04-12
Last updated on: 2026-04-27
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) verifier, specifically in the function maybe_fork_scalars() when handling the BPF_OR operation with a constant source operand.
The function forks the verifier state based on the signed range of the destination operand (dst). For BPF_AND, the logic is correct, but for BPF_OR, the verifier incorrectly assumes that 0 | K equals 0, when in fact it equals K.
This incorrect assumption causes the verifier to track an incorrect state, leading to a divergence between verifier and runtime behavior. This divergence can be exploited to perform out-of-bounds map access.
The fix involves changing how the verifier re-executes the ALU instruction by adjusting the instruction index passed to push_stack(), ensuring the correct computation of results for any opcode.
How can this vulnerability impact me? :
This vulnerability can lead to an exploitable divergence between the verifier's assumptions and the actual runtime behavior in the Linux kernel's BPF subsystem.
An attacker could leverage this flaw to perform out-of-bounds map access, potentially allowing unauthorized access to kernel memory or data structures.
Such unauthorized access could lead to privilege escalation, data corruption, or system instability.