CVE-2026-31521
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
module: Fix kernel panic when a symbol st_shndx is out of bounds
The module loader doesn't check for bounds of the ELF section index in simplify_symbols():
for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
const char *name = info->strtab + sym[i].st_name;
switch (sym[i].st_shndx) {
case SHN_COMMON:
[...]
default:
/* Divert to percpu allocation if a percpu var. */
if (sym[i].st_shndx == info->index.pcpu)
secbase = (unsigned long)mod_percpu(mod);
else
/** HERE –> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } }
A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:
BUG: unable to handle page fault for address: … RIP: 0010:simplify_symbols+0x2b2/0x480 … Kernel panic - not syncing: Fatal exception
This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted.
Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it.
This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1].
[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 5d16f519b6eb1d071807e57efe0df2baa8d32ad6 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4bbdb0e48176fd281c2b9a211b110db6fd94e175 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 082f15d2887329e0f43fd3727e69365f5bfe5d2c | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ec2b22a58073f80739013588af448ff6e2ab906f | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ef75dc1401d8e797ee51559a0dd0336c225e1776 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6ba6957c640f58dc8ef046981a045da43e47ea23 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f9d69d5e7bde2295eb7488a56f094ac8f5383b92 | affected |
| Linux | Linux | 2.6.12 | affected |
| Linux | Linux | 0 < 2.6.12 | unaffected |
| Linux | Linux | 5.15.203 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.168 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.131 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.80 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.21 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.11 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/5d16f519b6eb1d071807e57efe0df2baa8d32ad6
- https://git.kernel.org/stable/c/4bbdb0e48176fd281c2b9a211b110db6fd94e175
- https://git.kernel.org/stable/c/082f15d2887329e0f43fd3727e69365f5bfe5d2c
- https://git.kernel.org/stable/c/ec2b22a58073f80739013588af448ff6e2ab906f
- https://git.kernel.org/stable/c/ef75dc1401d8e797ee51559a0dd0336c225e1776
- https://git.kernel.org/stable/c/6ba6957c640f58dc8ef046981a045da43e47ea23
- https://git.kernel.org/stable/c/f9d69d5e7bde2295eb7488a56f094ac8f5383b92
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.