Cyber Resilience

CVE-2026-31413

HighUpdated

Published: 12 April 2026

Published
12 April 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31413 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31413 is a vulnerability in the Linux kernel's BPF verifier, specifically in the maybe_fork_scalars() function handling BPF_OR operations with a constant source operand. When the destination register has a signed range of [-1, 0], the verifier incorrectly forks the state: the pushed path assumes dst=0, while the runtime value becomes the constant K after 0 | K. This verifier/runtime divergence enables out-of-bounds access to BPF maps. The issue affects Linux kernels supporting eBPF programs and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this by submitting a malicious eBPF program that passes verification due to the flawed scalar forking but triggers out-of-bounds map access at runtime. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, potentially allowing kernel memory corruption or arbitrary code execution within the kernel context.

Kernel patches addressing this vulnerability are available in stable trees via the referenced commits, including 342aa1ee995ef5bbf876096dc3a5e51218d76fa4, 58bd87d0e69204dbd739e4387a1edb0c4b1644e7, c845894ebd6fb43226b3118d6b017942550910c5, and d13281ae7ea8902b21d99d10a2c8caf0bdec0455. The fix modifies push_stack() to pass env->insn_idx instead of env->insn_idx + 1, forcing the pushed verifier path to re-execute the ALU instruction and compute the correct runtime value. Security practitioners should update to patched kernels to mitigate exploitation.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1,…

more

0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local kernel exploit via malicious eBPF program submission due to verifier bug causing OOB map access and arbitrary kernel code execution, enabling privilege escalation from low-privileged local user.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-43048Same product: Linux Linux Kernel
CVE-2026-23406Same product: Linux Linux Kernel
CVE-2024-57998Same product: Linux Linux Kernel
CVE-2026-31641Same product: Linux Linux Kernel
CVE-2026-23099Same product: Linux Linux Kernel
CVE-2026-23288Same product: Linux Linux Kernel
CVE-2026-31675Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel
CVE-2026-23407Same product: Linux Linux Kernel
CVE-2025-71112Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.12.75 — 6.12.80 · 6.18.16 — 6.18.21 · 6.19.6 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying stable kernel patches with commits like 342aa1ee995ef directly fixes the BPF verifier's unsound scalar forking for BPF_OR, eliminating the exploitable divergence.

prevent

Secure kernel configuration settings such as kernel.unprivileged_bpf_disabled=1 prevent low-privilege local attackers from loading eBPF programs that exploit the verifier flaw.

detect

Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31413 based on version and missing patches for timely remediation.

References