CVE-2026-31413
Published: Apr 12, 2026
Modified: May 11, 2026
CVSS v3.1
7.8
Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected dea9989a3f3961faede93752cd81eb5a9514d911 - < 342aa1ee995ef5bbf876096dc3a5e51218d76fa4affected 4c122e8ae14950cf6b59d208fc5160f7c601e746 - < 58bd87d0e69204dbd739e4387a1edb0c4b1644e7affected e52567173ba86dbffb990595fbe60e2e83899372 - < d13281ae7ea8902b21d99d10a2c8caf0bdec0455affected bffacdb80b93b7b5e96b26fad64cc490a6c7d6c7 - < c845894ebd6fb43226b3118d6b017942550910c5 |
Linux | Linux | affected 6.12.75 - < 6.12.80affected 6.18.16 - < 6.18.21affected 6.19.6 - < 6.19.11 |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now