CVE-2026-31568
Published: 24 April 2026
Summary
CVE-2026-31568 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching of the Linux kernel s390/mm flaw to add fixups for secure storage access exceptions on Ultravisor-donated pages.
Identifies the specific kernel CVE through vulnerability scanning of s390 systems, enabling prompt remediation to prevent exploitation.
Monitors for exploitation indicators like infinite secure storage exception loops causing high availability impact through system resource exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel out-of-bounds read on s390 secure storage enables exploitation for credential/data access (C:H) and system DoS via unresolvable exception loops (A:H).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add missing secure storage access fixups for donated memory There are special cases where secure storage access exceptions happen in a kernel context for pages that don't have the…
more
PG_arch_1 bit set. That bit is set for non-exported guest secure storage (memory) but is absent on storage donated to the Ultravisor since the kernel isn't allowed to export donated pages. Prior to this patch we would try to export the page by calling arch_make_folio_accessible() which would instantly return since the arch bit is absent signifying that the page was already exported and no further action is necessary. This leads to secure storage access exception loops which can never be resolved. With this patch we unconditionally try to export and if that fails we fixup.
Deeper analysisAI
CVE-2026-31568 is a vulnerability in the Linux kernel's s390/mm component, affecting IBM Z/s390 architecture systems. It stems from missing fixups for secure storage access exceptions on pages donated to the Ultravisor that lack the PG_arch_1 bit, which indicates non-exported guest secure storage. Without the bit set, prior kernel behavior incorrectly assumes the page is already exported via arch_make_folio_accessible(), leading to unresolvable secure storage access exception loops.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) on an unchanged scope (S:U) system. Successful exploitation yields high confidentiality impact (C:H), potentially exposing sensitive secure storage data, and high availability impact (A:H) through denial-of-service via infinite exception loops. The issue aligns with CWE-125 (Out-of-bounds Read).
Mitigation requires applying the relevant Linux kernel stable patches, as detailed in the commit references: https://git.kernel.org/stable/c/43ac2d18db1131df0a89993f709131ebfc29f3bd, https://git.kernel.org/stable/c/b00be77302d7ec4ad0367bb236494fce7172b730, and https://git.kernel.org/stable/c/b36b0e804aee5f20c6798dbeaeaa7cfdb7c6cf88. These patches unconditionally attempt to export the page and provide fixups if export fails, resolving the exception loops. The vulnerability was published on 2026-04-24 with a CVSS v3.1 base score of 7.1.
Details
- CWE(s)