{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31413", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.087Z", "datePublished": "2026-04-12T05:36:14.632Z", "dateUpdated": "2026-05-11T22:08:13.825Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:13.825Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR\n\nmaybe_fork_scalars() is called for both BPF_AND and BPF_OR when the\nsource operand is a constant. When dst has signed range [-1, 0], it\nforks the verifier state: the pushed path gets dst = 0, the current\npath gets dst = -1.\n\nFor BPF_AND this is correct: 0 & K == 0.\nFor BPF_OR this is wrong: 0 | K == K, not 0.\n\nThe pushed path therefore tracks dst as 0 when the runtime value is K,\nproducing an exploitable verifier/runtime divergence that allows\nout-of-bounds map access.\n\nFix this by passing env->insn_idx (instead of env->insn_idx + 1) to\npush_stack(), so the pushed path re-executes the ALU instruction with\ndst = 0 and naturally computes the correct result for any opcode."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "dea9989a3f3961faede93752cd81eb5a9514d911", "lessThan": "342aa1ee995ef5bbf876096dc3a5e51218d76fa4", "status": "affected", "versionType": "git"}, {"version": "4c122e8ae14950cf6b59d208fc5160f7c601e746", "lessThan": "58bd87d0e69204dbd739e4387a1edb0c4b1644e7", "status": "affected", "versionType": "git"}, {"version": "e52567173ba86dbffb990595fbe60e2e83899372", "lessThan": "d13281ae7ea8902b21d99d10a2c8caf0bdec0455", "status": "affected", "versionType": "git"}, {"version": "bffacdb80b93b7b5e96b26fad64cc490a6c7d6c7", "lessThan": "c845894ebd6fb43226b3118d6b017942550910c5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/bpf/verifier.c"], "versions": [{"version": "6.12.75", "lessThan": "6.12.80", "status": "affected", "versionType": "semver"}, {"version": "6.18.16", "lessThan": "6.18.21", "status": "affected", "versionType": "semver"}, {"version": "6.19.6", "lessThan": "6.19.11", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.75", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.16", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.6", "versionEndExcluding": "6.19.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4"}, {"url": "https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7"}, {"url": "https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455"}, {"url": "https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5"}], "title": "bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR\n\nmaybe_fork_scalars() is called for both BPF_AND and BPF_OR when the\nsource operand is a constant. When dst has signed range [-1, 0], it\nforks the verifier state: the pushed path gets dst = 0, the current\npath gets dst = -1.\n\nFor BPF_AND this is correct: 0 & K == 0.\nFor BPF_OR this is wrong: 0 | K == K, not 0.\n\nThe pushed path therefore tracks dst as 0 when the runtime value is K,\nproducing an exploitable verifier/runtime divergence that allows\nout-of-bounds map access.\n\nFix this by passing env->insn_idx (instead of env->insn_idx + 1) to\npush_stack(), so the pushed path re-executes the ALU instruction with\ndst = 0 and naturally computes the correct result for any opcode."}], "id": "CVE-2026-31413", "lastModified": "2026-04-27T14:16:37.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-12T06:16:20.050", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR", "id": "2457626", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457626"}, "csaw": false, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel's Berkeley Packet Filter (BPF) component. This vulnerability arises from an incorrect handling of certain operations within the BPF verifier, which is responsible for ensuring the safety of BPF programs. This discrepancy between the verifier's analysis and the program's actual execution can be exploited by a local attacker. Successful exploitation could lead to out-of-bounds memory access, potentially allowing for privilege escalation or information disclosure."], "name": "CVE-2026-31413", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31413\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31413\nhttps://lore.kernel.org/linux-cve-announce/2026041220-CVE-2026-31413-cce6@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dea9989a3f3961faede93752cd81eb5a9514d911,342aa1ee995ef5bbf876096dc3a5e51218d76fa4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4c122e8ae14950cf6b59d208fc5160f7c601e746,58bd87d0e69204dbd739e4387a1edb0c4b1644e7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[e52567173ba86dbffb990595fbe60e2e83899372,d13281ae7ea8902b21d99d10a2c8caf0bdec0455)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[bffacdb80b93b7b5e96b26fad64cc490a6c7d6c7,c845894ebd6fb43226b3118d6b017942550910c5)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.0-rc1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,7.0-rc1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T16:29:29.142628+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that contains the fix applied in commit 342aa1e", "If an upgrade cannot be performed immediately, restrict the use of BPF programs that employ the BPF_OR opcode with constant operands, or disable BPF loading for untrusted users", "Monitor system logs for anomalous eBPF activity that could indicate an attempt to exploit verifier/state divergence"], "summary": {"action": "Apply Patch", "impact": "Out\u2011of\u2011bounds map access via BPF verifier divergence"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations are potentially affected, though the CVE data does not specify particular kernel releases or version ranges. No version constraints are listed, so any kernel containing the vulnerable verified path code is at risk.", "description_and_impact": "This flaw exists in the Linux kernel\u2019s BPF verifier when the function maybe_fork_scalars handles BPF_OR instructions with constant operands. The verifier incorrectly forks scalar state, assigning a destination register a value of zero on a pushed path while the current path receives a signed value of minus one. For BPF_OR, this produces the wrong result, causing the verifier to diverge from real runtime execution and permitting an eBPF program to perform an out\u2011of\u2011bounds map access. The vulnerability is an instance of unsound scalar forking (CWE\u2011131) that can lead to memory corruption.", "risk_and_exploitability": "The likelihood of exploitation is low (EPSS < 1\u202f%) and the vulnerability is not included in CISA\u2019s KEV catalog. Nevertheless, because it allows a kernel developer or privileged user to craft an eBPF program that reads or writes beyond map bounds, it can lead to privilege escalation or denial of service. The attack vector is most likely local, requiring execution of a malicious eBPF program that uses the BPF_OR opcode on constant operands. Identification of the vulnerability requires knowledge of eBPF verifier internals, but once present, the divergence can be exploited without additional system compromise. The CVSS score of 7.8 indicates a high severity vulnerability."}}}}, "created": "2026-04-13T12:41:33.351669+00:00", "updated": "2026-04-28T16:30:35.106619+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}