CVE-2026-31413
Published: 12 April 2026
Summary
CVE-2026-31413 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-31413 is a vulnerability in the Linux kernel's BPF verifier, specifically in the maybe_fork_scalars() function handling BPF_OR operations with a constant source operand. When the destination register has a signed range of [-1, 0], the verifier incorrectly forks the state: the pushed path assumes dst=0, while the runtime value becomes the constant K after 0 | K. This verifier/runtime divergence enables out-of-bounds access to BPF maps. The issue affects Linux kernels supporting eBPF programs and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this by submitting a malicious eBPF program that passes verification due to the flawed scalar forking but triggers out-of-bounds map access at runtime. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, potentially allowing kernel memory corruption or arbitrary code execution within the kernel context.
Kernel patches addressing this vulnerability are available in stable trees via the referenced commits, including 342aa1ee995ef5bbf876096dc3a5e51218d76fa4, 58bd87d0e69204dbd739e4387a1edb0c4b1644e7, c845894ebd6fb43226b3118d6b017942550910c5, and d13281ae7ea8902b21d99d10a2c8caf0bdec0455. The fix modifies push_stack() to pass env->insn_idx instead of env->insn_idx + 1, forcing the pushed verifier path to re-execute the ALU instruction and compute the correct runtime value. Security practitioners should update to patched kernels to mitigate exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21717
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1,…
more
0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local kernel exploit via malicious eBPF program submission due to verifier bug causing OOB map access and arbitrary kernel code execution, enabling privilege escalation from low-privileged local user.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Applying stable kernel patches with commits like 342aa1ee995ef directly fixes the BPF verifier's unsound scalar forking for BPF_OR, eliminating the exploitable divergence.
Secure kernel configuration settings such as kernel.unprivileged_bpf_disabled=1 prevent low-privilege local attackers from loading eBPF programs that exploit the verifier flaw.
Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31413 based on version and missing patches for timely remediation.