CVE-2026-31786
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
Buffer overflow in drivers/xen/sys-hypervisor.c
The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string.
The first causes a buffer overflow as sprintf in buildid_show will read and copy till it finds a NUL.
00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |…Bo.2| 00000017
So use a memcpy instead of sprintf to have the correct value:
00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q…..eGR..q.P| 00000010 b9 a8 01 42 |…B| 00000014
(the above have a hack to embed a zero inside and check it's returned correctly).
This is XSA-485 / CVE-2026-31786
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 84b7625728ea311ea35bdaa0eded53c1c56baeaa < e3af585e1728c917682b6a3de9a69b41fb9194d4 | affected |
| Linux | Linux | 84b7625728ea311ea35bdaa0eded53c1c56baeaa < 8288d031a01dbacfde3fc643f7be3d23504de64d | affected |
| Linux | Linux | 84b7625728ea311ea35bdaa0eded53c1c56baeaa < f458ba102da97fafca106327086fc95f3fc764cb | affected |
| Linux | Linux | 84b7625728ea311ea35bdaa0eded53c1c56baeaa < 4b4defd2fce3f966c25adabf46644a85558f1169 | affected |
| Linux | Linux | 84b7625728ea311ea35bdaa0eded53c1c56baeaa < 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a | affected |
| Linux | Linux | 84b7625728ea311ea35bdaa0eded53c1c56baeaa < d5f59216650c51e5e3fcb7517c825bc8047f60ef | affected |
| Linux | Linux | 84b7625728ea311ea35bdaa0eded53c1c56baeaa < 52cecff98bda2c51eed1c6ce9d21c5d6268fb19d | affected |
| Linux | Linux | 84b7625728ea311ea35bdaa0eded53c1c56baeaa < 27fdbab4221b375de54bf91919798d88520c6e28 | affected |
| Linux | Linux | 4.13 | affected |
| Linux | Linux | 0 < 4.13 | unaffected |
| Linux | Linux | 5.10.254 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.204 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.170 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.137 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.85 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.26 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.3 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- http://www.openwall.com/lists/oss-security/2026/04/28/12
- http://xenbits.xen.org/xsa/advisory-485.html
References
- https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4
- https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d
- https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb
- https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169
- https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a
- https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef
- https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d
- https://git.kernel.org/stable/c/27fdbab4221b375de54bf91919798d88520c6e28
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.