CVE-2026-31786
Buffer Overflow in Linux Kernel Xen Hypervisor
Publication date: 2026-04-30
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.11 (inc) to 5.15.204 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.170 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.137 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.85 (exc) |
| linux | linux_kernel | 7.1 |
| linux | linux_kernel | 7.1 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.26 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 7.0.3 (exc) |
| linux | linux_kernel | From 4.13 (inc) to 5.10.254 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Linux kernels version 4.13 or later running in Xen domains, specifically involving the sysfs file /sys/hypervisor/properties/buildid.
Detection involves checking the kernel version and whether the system is running as a Linux domain under Xen.
You can verify the kernel version with the command:
- uname -r
To check if the system is running in a Xen domain, you can look for the presence of the Xen hypervisor or the sysfs path:
- ls /sys/hypervisor/properties/buildid
If the file exists and the kernel version is 4.13 or later, the system is potentially vulnerable.
There is no known direct detection command to confirm the buffer overflow itself, as the issue is in kernel code handling the buildid string.
Can you explain this vulnerability to me?
CVE-2026-31786 is a vulnerability in the Linux kernel when running in Xen environments, specifically affecting kernel versions 4.13 or later.
The issue arises from a buffer overflow caused by the use of sprintf() to copy binary data from the sysfs file `/sys/hypervisor/properties/buildid`. This binary data does not have a terminating null byte, so sprintf() may read beyond the intended buffer until it finds a null byte, potentially causing out-of-bounds reads or overwriting kernel memory.
This vulnerability can lead to information leaks, Denial of Service (DoS), or privilege escalation within affected Linux Xen domains.
The issue was fixed by replacing sprintf() with memcpy() to correctly handle the binary data without relying on null termination.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause information leaks, Denial of Service (DoS), or privilege escalation within Linux Xen domains running vulnerable kernel versions (4.13 or later).
Specifically, the out-of-bounds read caused by the improper handling of binary data could expose sensitive kernel memory or allow an attacker to overwrite kernel memory, potentially gaining elevated privileges or disrupting system operations.
What immediate steps should I take to mitigate this vulnerability?
There is no known mitigation other than applying the official patch that fixes the vulnerability by replacing sprintf with memcpy in the kernel code.
Immediate steps include:
- Identify if your system is running a vulnerable Linux kernel version (4.13 or later) in a Xen domain.
- Obtain and apply the patch provided by the Xen Project Security Advisory XSA-485.
- If patching immediately is not possible, consider limiting access to the affected systems to trusted users only to reduce risk.
- Monitor for updates from your Linux distribution or Xen Project for official patched kernel releases.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.