CVE-2026-31786
Awaiting Analysis Awaiting Analysis - Queue
Buffer Overflow in Linux Kernel Xen Hypervisor

Publication date: 2026-04-30

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid_show will read and copy till it finds a NUL. 00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| 00000017 So use a memcpy instead of sprintf to have the correct value: 00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| 00000010 b9 a8 01 42 |...B| 00000014 (the above have a hack to embed a zero inside and check it's returned correctly). This is XSA-485 / CVE-2026-31786
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31786
EUVD
EUVD-2026-26364
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.11 (inc) to 5.15.204 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.170 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.137 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.85 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.26 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.3 (exc)
linux linux_kernel From 4.13 (inc) to 5.10.254 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31786 is a vulnerability in the Linux kernel when running in Xen environments, specifically affecting kernel versions 4.13 or later.

The issue arises from a buffer overflow caused by the use of sprintf() to copy binary data from the sysfs file `/sys/hypervisor/properties/buildid`. This binary data does not have a terminating null byte, so sprintf() may read beyond the intended buffer until it finds a null byte, potentially causing out-of-bounds reads or overwriting kernel memory.

This vulnerability can lead to information leaks, Denial of Service (DoS), or privilege escalation within affected Linux Xen domains.

The issue was fixed by replacing sprintf() with memcpy() to correctly handle the binary data without relying on null termination.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause information leaks, Denial of Service (DoS), or privilege escalation within Linux Xen domains running vulnerable kernel versions (4.13 or later).

Specifically, the out-of-bounds read caused by the improper handling of binary data could expose sensitive kernel memory or allow an attacker to overwrite kernel memory, potentially gaining elevated privileges or disrupting system operations.

Detection Guidance

This vulnerability affects Linux kernels version 4.13 or later running in Xen domains, specifically involving the sysfs file /sys/hypervisor/properties/buildid.

Detection involves checking the kernel version and whether the system is running as a Linux domain under Xen.

You can verify the kernel version with the command:

  • uname -r

To check if the system is running in a Xen domain, you can look for the presence of the Xen hypervisor or the sysfs path:

  • ls /sys/hypervisor/properties/buildid

If the file exists and the kernel version is 4.13 or later, the system is potentially vulnerable.

There is no known direct detection command to confirm the buffer overflow itself, as the issue is in kernel code handling the buildid string.

Mitigation Strategies

There is no known mitigation other than applying the official patch that fixes the vulnerability by replacing sprintf with memcpy in the kernel code.

Immediate steps include:

  • Identify if your system is running a vulnerable Linux kernel version (4.13 or later) in a Xen domain.
  • Obtain and apply the patch provided by the Xen Project Security Advisory XSA-485.
  • If patching immediately is not possible, consider limiting access to the affected systems to trusted users only to reduce risk.
  • Monitor for updates from your Linux distribution or Xen Project for official patched kernel releases.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31786. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart