CVE-2026-31525

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6 Linux kernel versions prior to 6.12 Linux kernel versions prior to 6.18 Linux kernel versions prior to 6.19

Description A mismatch between the BPF verifier and the BPF interpreter in the Linux kernel allows for out-of-bounds map value access, which can lead to arbitrary kernel read/write, privilege escalation to root, container escape, disabling of SELinux, and theft of TLS keys from other processes' memory. The issue stems from the BPF interpreter's signed 32-bit division and modulo handlers using the abs() macro on s32 operands. When the input is S32 MIN (0x80000000), the abs() macro triggers undefined behavior, returning S32 MIN unchanged on arm64 and x86 architectures. This value is then sign-extended to u64 as 0xFFFFFFFF80000000, causing the do div() function to compute an incorrect result. While the interpreter produces this incorrect value, the verifier's abstract interpretation function scalar32 min max sdiv() computes the mathematically correct result for range tracking. This discrepancy allows a program to pass the verifier's bounds checks while the interpreter uses an actual value that is out-of-bounds.

Recommendations Update the Linux kernel to versions 6.6, 6.12, 6.18, or 6.19 to apply the fix. As a temporary mitigation, restrict the use of signed 32-bit division and modulo operations in BPF programs that handle S32 MIN values.