Cyber Resilience

CVE-2026-31484

High

Published: 22 April 2026

Published
22 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 4.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31484 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31484 is an out-of-bounds read vulnerability in the Linux kernel's io_uring subsystem, specifically within the __io_uring_show_fdinfo() function. The issue affects rings configured with IORING_SETUP_SQE_MIXED using 128-byte submission queue entries (SQEs). During iteration over pending SQEs, the code incorrectly checks for wrap-around at the end of the sq_sqes array by testing (++sq_head & sq_mask) == 0. This fails because sq_head increments only on 128-byte SQEs, allowing the actual array index sq_idx = (i + sq_head) & sq_mask to reach sq_mask (the last slot) without triggering the check, leading to an out-of-bounds read. The vulnerability is classified under CWE-125 with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the fdinfo exposure for an io_uring instance, potentially reading sensitive kernel memory out-of-bounds or causing a denial of service through kernel crash. The low attack complexity and lack of user interaction make it feasible for unprivileged processes to achieve high-impact confidentiality violations or availability disruptions without privilege escalation or scope changes.

Mitigation requires updating to a patched Linux kernel version incorporating the fixes from the referenced stable commits: 5170efd9c344c68a8075dcb8ed38d3f8a60e7ed4 and ba21ab247a5be5382da7464b95afbe5f0e9aa503, available at git.kernel.org. These patches correct the wrap check by directly validating sq_idx while preserving sq_head increments to skip the second half of 128-byte SQEs on subsequent iterations.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: io_uring/fdinfo: fix OOB read in SQE_MIXED wrap check __io_uring_show_fdinfo() iterates over pending SQEs and, for 128-byte SQEs on an IORING_SETUP_SQE_MIXED ring, needs to detect when the second half of the…

more

SQE would be past the end of the sq_sqes array. The current check tests (++sq_head & sq_mask) == 0, but sq_head is only incremented when a 128-byte SQE is encountered, not on every iteration. The actual array index is sq_idx = (i + sq_head) & sq_mask, which can be sq_mask (the last slot) while the wrap check passes. Fix by checking sq_idx directly. Keep the sq_head increment so the loop still skips the second half of the 128-byte SQE on the next iteration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB kernel memory read enables credential access via sensitive data exposure (T1212); kernel crash path directly supports DoS via system exploitation (T1499.004). Local low-priv trigger matches both without requiring escalation or remote access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21743Same product: Linux Linux Kernel
CVE-2026-31774Same product: Linux Linux Kernel
CVE-2026-23325Same product: Linux Linux Kernel
CVE-2025-21815Same product: Linux Linux Kernel
CVE-2026-31779Same product: Linux Linux Kernel
CVE-2026-43051Same product: Linux Linux Kernel
CVE-2026-23269Same product: Linux Linux Kernel
CVE-2026-31568Same product: Linux Linux Kernel
CVE-2026-43042Same product: Linux Linux Kernel
CVE-2026-23204Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19, 7.0 · 6.19.1 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the out-of-bounds read vulnerability by requiring identification, reporting, and timely correction of the specific flaw in the io_uring fdinfo function via kernel patching.

detect

Employs vulnerability scanning to identify the CVE-2026-31484 flaw in the Linux kernel io_uring subsystem, enabling proactive remediation before exploitation.

prevent

Provides memory protections such as randomization and non-executable regions that mitigate the impact of the out-of-bounds read leaking sensitive kernel memory.

References