CVE-2026-31786
Published: 30 April 2026
Summary
CVE-2026-31786 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31786 is a buffer overflow vulnerability in the Linux kernel's drivers/xen/sys-hypervisor.c component. The issue arises because the build ID returned by the HYPERVISOR_xen_version(XENVER_build_id) hypercall is neither null-terminated nor guaranteed to be a valid string. When the buildid_show function uses sprintf to copy this data, it reads beyond the buffer's end until it encounters a null byte, triggering the overflow. This affects Linux kernels that include Xen hypervisor support and expose the relevant sysfs interface.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution, data corruption, or system denial of service within the kernel context, as indicated by the CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Mitigation involves applying kernel patches that replace the vulnerable sprintf call with memcpy to safely copy a fixed-size build ID without relying on null termination. Relevant commits are available in the Linux kernel stable repository, including 4b4defd2fce3f966c25adabf46644a85558f1169, 52cecff98bda2c51eed1c6ce9d21c5d6268fb19d, 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a, 8288d031a01dbacfde3fc643f7be3d23504de64d, and d5f59216650c51e5e3fcb7517c825bc8047f60ef. This vulnerability is tracked as Xen Security Advisory XSA-485.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26364
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid_show will read and…
more
copy till it finds a NUL. 00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| 00000017 So use a memcpy instead of sprintf to have the correct value: 00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| 00000010 b9 a8 01 42 |...B| 00000014 (the above have a hack to embed a zero inside and check it's returned correctly). This is XSA-485 / CVE-2026-31786
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel buffer overflow in Xen sysfs handler directly enables privilege escalation via arbitrary code execution in kernel context (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the buffer overflow flaw in the Linux kernel's Xen sys-hypervisor build ID handling to prevent exploitation.
Mandates vulnerability scanning to identify unpatched Linux kernels affected by CVE-2026-31786 buffer overflow.
Enforces validation of non-null-terminated inputs from the Xen hypervisor to avoid buffer overflows during sysfs build ID copying.