Cyber Resilience

CVE-2026-31786

High

Published: 30 April 2026

Published
30 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31786 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31786 is a buffer overflow vulnerability in the Linux kernel's drivers/xen/sys-hypervisor.c component. The issue arises because the build ID returned by the HYPERVISOR_xen_version(XENVER_build_id) hypercall is neither null-terminated nor guaranteed to be a valid string. When the buildid_show function uses sprintf to copy this data, it reads beyond the buffer's end until it encounters a null byte, triggering the overflow. This affects Linux kernels that include Xen hypervisor support and expose the relevant sysfs interface.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system denial of service within the kernel context, as indicated by the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Mitigation involves applying kernel patches that replace the vulnerable sprintf call with memcpy to safely copy a fixed-size build ID without relying on null termination. Relevant commits are available in the Linux kernel stable repository, including 4b4defd2fce3f966c25adabf46644a85558f1169, 52cecff98bda2c51eed1c6ce9d21c5d6268fb19d, 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a, 8288d031a01dbacfde3fc643f7be3d23504de64d, and d5f59216650c51e5e3fcb7517c825bc8047f60ef. This vulnerability is tracked as Xen Security Advisory XSA-485.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid_show will read and…

more

copy till it finds a NUL. 00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| 00000017 So use a memcpy instead of sprintf to have the correct value: 00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| 00000010 b9 a8 01 42 |...B| 00000014 (the above have a hack to embed a zero inside and check it's returned correctly). This is XSA-485 / CVE-2026-31786

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel buffer overflow in Xen sysfs handler directly enables privilege escalation via arbitrary code execution in kernel context (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.1 · 4.13 — 5.10.254 · 5.11 — 5.15.204 · 5.16 — 6.1.170

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the buffer overflow flaw in the Linux kernel's Xen sys-hypervisor build ID handling to prevent exploitation.

detect

Mandates vulnerability scanning to identify unpatched Linux kernels affected by CVE-2026-31786 buffer overflow.

prevent

Enforces validation of non-null-terminated inputs from the Xen hypervisor to avoid buffer overflows during sysfs build ID copying.

References