CVE-2026-31521
Received Received - Intake
Out-of-Bounds Index Vulnerability in Linux Kernel Module Loader Causes Panic

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/[email protected]/
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31521
EUVD
EUVD-2026-24907
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's module loader, specifically in the simplify_symbols() function. The function does not properly check if the ELF section index (st_shndx) of a symbol is within valid bounds before using it.

If a symbol has an out-of-bounds st_shndx value, such as 0xffff (which corresponds to special values like SHN_XINDEX or SHN_HIRESERVE), the kernel may attempt to access invalid memory addresses. This can cause a kernel panic, resulting in a fatal exception and system crash.

The issue can occur either when a module ELF legitimately uses these special section indices or if the module is corrupted. The fix involves adding a bounds check to ensure st_shndx is valid before it is used.

Mitigation Strategies

The vulnerability is resolved by adding a bounds check in the simplify_symbols() function of the Linux kernel module loader to validate that the ELF symbol section index (st_shndx) is within the valid range before use.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Detection Guidance

This vulnerability involves a kernel panic caused by an out-of-bounds ELF section index (st_shndx) in the Linux kernel module loader. Detection would typically involve monitoring for kernel panic messages related to simplify_symbols or unusual module loading failures.

You can check your system logs (e.g., using dmesg or journalctl) for kernel panic messages referencing simplify_symbols or related faults.

  • dmesg | grep -i 'simplify_symbols'
  • journalctl -k | grep -i 'kernel panic'
  • journalctl -k | grep -i 'simplify_symbols'

Additionally, inspecting loaded kernel modules for corrupted or suspicious ELF symbols might require specialized tools or scripts, but no specific commands are provided in the available information.

Impact Analysis

This vulnerability can cause a kernel panic, which leads to a system crash and loss of availability. If exploited or triggered, it can disrupt normal system operations, potentially causing downtime or requiring a reboot.

Since the kernel panic is caused by invalid memory access due to out-of-bounds section indices in kernel modules, it may also be exploited to cause denial of service on affected Linux systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart