CVE-2026-31528
Received Received - Intake
Out-of-Bounds Memory Access in Linux Kernel perf PMU Handling

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: perf: Make sure to use pmu_ctx->pmu for groups Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access when group_sched_in() fails and needs to roll back. This *should* be handled by the transaction callbacks, but he found that when the group leader is a software event, the transaction handlers of the wrong PMU are used. Despite the move_group case in perf_event_open() and group_sched_in() using pmu_ctx->pmu. Turns out, inherit uses event->pmu to clone the events, effectively undoing the move_group case for all inherited contexts. Fix this by also making inherit use pmu_ctx->pmu, ensuring all inherited counters end up in the same pmu context. Similarly, __perf_event_read() should use equally use pmu_ctx->pmu for the group case.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31528
EUVD
EUVD-2026-24921
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's perf subsystem, specifically related to how performance monitoring units (PMUs) are handled for event groups. The issue occurs because the function x86_pmu_del() can perform an out-of-bound memory access when group_sched_in() fails and needs to roll back. This happens because the transaction callbacks use the wrong PMU context when the group leader is a software event. The root cause is that the inherit function uses event->pmu to clone events, which bypasses the intended move_group logic that should ensure all inherited counters remain in the same PMU context. The fix involves making inherit and __perf_event_read() use pmu_ctx->pmu to maintain consistent PMU contexts for all inherited counters and group cases.

Impact Analysis

This vulnerability can lead to out-of-bound memory access in the Linux kernel's perf subsystem, which may cause system instability, crashes, or potential security risks such as memory corruption. Since it involves incorrect handling of PMU contexts, it could affect the reliability and correctness of performance monitoring and profiling tools that rely on these kernel features.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart