CVE-2026-31413
Analyzed Analyzed - Analysis Complete
Out-of-Bounds Access in Linux Kernel BPF Verifier Due to Forking Bug

Publication date: 2026-04-12

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31413
EUVD
EUVD-2026-21717
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.12.75 (inc) to 6.12.80 (exc)
linux linux_kernel From 6.18.16 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19.6 (inc) to 6.19.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's BPF (Berkeley Packet Filter) verifier, specifically in the function maybe_fork_scalars() when handling the BPF_OR operation with a constant source operand.

The function forks the verifier state based on the signed range of the destination operand (dst). For BPF_AND, the logic is correct, but for BPF_OR, the verifier incorrectly assumes that 0 | K equals 0, when in fact it equals K.

This incorrect assumption causes the verifier to track an incorrect state, leading to a divergence between verifier and runtime behavior. This divergence can be exploited to perform out-of-bounds map access.

The fix involves changing how the verifier re-executes the ALU instruction by adjusting the instruction index passed to push_stack(), ensuring the correct computation of results for any opcode.

Impact Analysis

This vulnerability can lead to an exploitable divergence between the verifier's assumptions and the actual runtime behavior in the Linux kernel's BPF subsystem.

An attacker could leverage this flaw to perform out-of-bounds map access, potentially allowing unauthorized access to kernel memory or data structures.

Such unauthorized access could lead to privilege escalation, data corruption, or system instability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart