CVE-2026-31742
Published: 01 May 2026
Summary
CVE-2026-31742 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stale unicode buffer mismatch during vt alternate screen transitions and console resizes by applying the upstream kernel patches.
Implements memory protections such as bounds checking and address space randomization to mitigate out-of-bounds access in the kernel vt unicode buffer.
Monitors and scans for known vulnerabilities like CVE-2026-31742 in Linux kernel versions to identify systems requiring remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB memory access in vt subsystem enables privilege escalation via exploitation (T1068) and endpoint DoS via system exploitation leading to crashes (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: vt: discard stale unicode buffer on alt screen exit after resize When enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and sets vc_uni_lines to NULL, a subsequent console resize via vc_do_resize() skips reallocating…
more
the unicode buffer because vc_uni_lines is NULL. However, vc_saved_uni_lines still points to the old buffer allocated for the original dimensions. When leave_alt_screen() later restores vc_saved_uni_lines, the buffer dimensions no longer match vc_rows/vc_cols. Any operation that iterates over the unicode buffer using the current dimensions (e.g. csi_J clearing the screen) will access memory out of bounds, causing a kernel oops: BUG: unable to handle page fault for address: 0x0000002000000020 RIP: 0010:csi_J+0x133/0x2d0 The faulting address 0x0000002000000020 is two adjacent u32 space characters (0x20) interpreted as a pointer, read from the row data area past the end of the 25-entry pointer array in a buffer allocated for 80x25 but accessed with 240x67 dimensions. Fix this by checking whether the console dimensions changed while in the alternate screen. If they did, free the stale saved buffer instead of restoring it. The unicode screen will be lazily rebuilt via vc_uniscr_check() when next needed.
Deeper analysisAI
CVE-2026-31742 is a vulnerability in the Linux kernel's virtual terminal (vt) subsystem related to unicode buffer handling during alternate screen transitions and console resizes. When entering the alternate screen via enter_alt_screen(), the current vc_uni_lines buffer is saved to vc_saved_uni_lines and the active vc_uni_lines is set to NULL. A subsequent resize via vc_do_resize() skips unicode buffer reallocation because vc_uni_lines is NULL, leaving vc_saved_uni_lines pointing to a buffer sized for the original dimensions. Exiting the alternate screen via leave_alt_screen() then restores this stale buffer, which no longer matches the updated vc_rows and vc_cols, leading to out-of-bounds memory access during operations like csi_J screen clearing and triggering a kernel oops, such as a page fault at an invalid address derived from misinterpreted buffer data.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation requires local access with low privileges, low complexity, and no user interaction. A local attacker can trigger the out-of-bounds access by entering the alternate screen, resizing the console, and then exiting the alternate screen followed by a screen-clearing operation, resulting in high impacts to confidentiality, integrity, and availability, including kernel crashes via page faults.
Patches resolve the issue by adding a check in leave_alt_screen() to detect dimension changes during alternate screen use; if changed, the stale vc_saved_uni_lines buffer is freed rather than restored, with the unicode screen rebuilt lazily via vc_uniscr_check() when next required. Relevant upstream fixes are in the following kernel commits: https://git.kernel.org/stable/c/40014493cece72a0be5672cd86763e53fb3ec613, https://git.kernel.org/stable/c/428fdf55301e6c8fa5a36b426240797b1cf86570, and https://git.kernel.org/stable/c/891d790fdb5c96c6e1d2841e06ee6c360f2d1288.
Details
- CWE(s)