Cyber Resilience

CVE-2026-31525

High

Published: 22 April 2026

Published
22 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31525 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-31525 is a vulnerability in the Linux kernel's BPF interpreter, affecting the signed 32-bit division (sdiv) and modulo (smod) handlers. These handlers invoke the kernel's abs() macro on s32 operands, which produces undefined behavior when the input is S32_MIN (0x80000000), as documented in include/linux/math.h. On architectures like arm64 and x86, this results in abs() returning S32_MIN unchanged, followed by incorrect sign extension to u64 (0xFFFFFFFF80000000) during do_div(), yielding erroneous results. This creates a mismatch with the verifier's scalar32_min_max_sdiv abstract interpretation, which computes mathematically correct results for range tracking, enabling out-of-bounds access to BPF map values. Only s32 operations are affected; s64 handlers do not use abs().

A local attacker with low privileges (AV:L/PR:L) can exploit this issue with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), for a CVSS 3.1 base score of 7.8. Exploitation leverages the verifier/interpreter discrepancy to perform out-of-bounds map value access, classified under CWE-787 (Out-of-bounds Write). The vulnerability requires local access but no elevated privileges beyond basic user rights.

Mitigation requires updating to patched Linux kernel versions via the stable repository. Key fixes include commits such as 0d5d8c3ce45c734aaf3c51cbef59155a6746157d, 694ea55f1b1c74f9942d91ec366ae9e822422e42, 9ab1227765c446942f290c83382f0b19887c55cf, c77b30bd1dcb61f66c640ff7d2757816210c7cb0, and f14ca604c0ff274fba19f73f1f0485c0047c1396. These introduce abs_s32(), which safely handles S32_MIN by casting to u32 before negation to avoid signed overflow, and replace all eight abs((s32)...) callsites in the sdiv32/smod32 handlers.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN The BPF interpreter's signed 32-bit division and modulo handlers use the kernel abs() macro on s32 operands. The abs() macro documentation…

more

(include/linux/math.h) explicitly states the result is undefined when the input is the type minimum. When DST contains S32_MIN (0x80000000), abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged on arm64/x86. This value is then sign-extended to u64 as 0xFFFFFFFF80000000, causing do_div() to compute the wrong result. The verifier's abstract interpretation (scalar32_min_max_sdiv) computes the mathematically correct result for range tracking, creating a verifier/interpreter mismatch that can be exploited for out-of-bounds map value access. Introduce abs_s32() which handles S32_MIN correctly by casting to u32 before negating, avoiding signed overflow entirely. Replace all 8 abs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers. s32 is the only affected case -- the s64 division/modulo handlers do not use abs().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Linux kernel BPF verifier/interpreter discrepancy enables local low-priv OOB map access (CWE-787), directly facilitating kernel memory corruption for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 6.6 — 6.6.131 · 6.7 — 6.12.80 · 6.13 — 6.18.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of kernel flaws like CVE-2026-31525 by applying patches that fix the BPF interpreter's abs() undefined behavior on S32_MIN, preventing out-of-bounds map access.

prevent

Restricts unprivileged BPF loading, the attack vector exploited by low-privilege local users to trigger the verifier-interpreter mismatch in sdiv/smod handlers.

prevent

Deploys memory protections such as kernel exploit mitigations to limit damage from out-of-bounds writes to BPF map values caused by the division/modulo computation error.

References