CVE-2026-31525
Published: 22 April 2026
Summary
CVE-2026-31525 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-31525 is a vulnerability in the Linux kernel's BPF interpreter, affecting the signed 32-bit division (sdiv) and modulo (smod) handlers. These handlers invoke the kernel's abs() macro on s32 operands, which produces undefined behavior when the input is S32_MIN (0x80000000), as documented in include/linux/math.h. On architectures like arm64 and x86, this results in abs() returning S32_MIN unchanged, followed by incorrect sign extension to u64 (0xFFFFFFFF80000000) during do_div(), yielding erroneous results. This creates a mismatch with the verifier's scalar32_min_max_sdiv abstract interpretation, which computes mathematically correct results for range tracking, enabling out-of-bounds access to BPF map values. Only s32 operations are affected; s64 handlers do not use abs().
A local attacker with low privileges (AV:L/PR:L) can exploit this issue with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), for a CVSS 3.1 base score of 7.8. Exploitation leverages the verifier/interpreter discrepancy to perform out-of-bounds map value access, classified under CWE-787 (Out-of-bounds Write). The vulnerability requires local access but no elevated privileges beyond basic user rights.
Mitigation requires updating to patched Linux kernel versions via the stable repository. Key fixes include commits such as 0d5d8c3ce45c734aaf3c51cbef59155a6746157d, 694ea55f1b1c74f9942d91ec366ae9e822422e42, 9ab1227765c446942f290c83382f0b19887c55cf, c77b30bd1dcb61f66c640ff7d2757816210c7cb0, and f14ca604c0ff274fba19f73f1f0485c0047c1396. These introduce abs_s32(), which safely handles S32_MIN by casting to u32 before negation to avoid signed overflow, and replace all eight abs((s32)...) callsites in the sdiv32/smod32 handlers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24916
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN The BPF interpreter's signed 32-bit division and modulo handlers use the kernel abs() macro on s32 operands. The abs() macro documentation…
more
(include/linux/math.h) explicitly states the result is undefined when the input is the type minimum. When DST contains S32_MIN (0x80000000), abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged on arm64/x86. This value is then sign-extended to u64 as 0xFFFFFFFF80000000, causing do_div() to compute the wrong result. The verifier's abstract interpretation (scalar32_min_max_sdiv) computes the mathematically correct result for range tracking, creating a verifier/interpreter mismatch that can be exploited for out-of-bounds map value access. Introduce abs_s32() which handles S32_MIN correctly by casting to u32 before negating, avoiding signed overflow entirely. Replace all 8 abs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers. s32 is the only affected case -- the s64 division/modulo handlers do not use abs().
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Linux kernel BPF verifier/interpreter discrepancy enables local low-priv OOB map access (CWE-787), directly facilitating kernel memory corruption for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of kernel flaws like CVE-2026-31525 by applying patches that fix the BPF interpreter's abs() undefined behavior on S32_MIN, preventing out-of-bounds map access.
Restricts unprivileged BPF loading, the attack vector exploited by low-privilege local users to trigger the verifier-interpreter mismatch in sdiv/smod handlers.
Deploys memory protections such as kernel exploit mitigations to limit damage from out-of-bounds writes to BPF map values caused by the division/modulo computation error.