CVE-2026-31786

Summary

In the Linux kernel, the following vulnerability has been resolved:

Buffer overflow in drivers/xen/sys-hypervisor.c

The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string.

The first causes a buffer overflow as sprintf in buildid_show will read and copy till it finds a NUL.

00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |…Bo.2| 00000017

So use a memcpy instead of sprintf to have the correct value:

00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q…..eGR..q.P| 00000010 b9 a8 01 42 |…B| 00000014

(the above have a hack to embed a zero inside and check it's returned correctly).

This is XSA-485 / CVE-2026-31786

Affected Software

VendorProductVersion RangeStatus
LinuxLinux84b7625728ea311ea35bdaa0eded53c1c56baeaa < e3af585e1728c917682b6a3de9a69b41fb9194d4affected
LinuxLinux84b7625728ea311ea35bdaa0eded53c1c56baeaa < 8288d031a01dbacfde3fc643f7be3d23504de64daffected
LinuxLinux84b7625728ea311ea35bdaa0eded53c1c56baeaa < f458ba102da97fafca106327086fc95f3fc764cbaffected
LinuxLinux84b7625728ea311ea35bdaa0eded53c1c56baeaa < 4b4defd2fce3f966c25adabf46644a85558f1169affected
LinuxLinux84b7625728ea311ea35bdaa0eded53c1c56baeaa < 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0aaffected
LinuxLinux84b7625728ea311ea35bdaa0eded53c1c56baeaa < d5f59216650c51e5e3fcb7517c825bc8047f60efaffected
LinuxLinux84b7625728ea311ea35bdaa0eded53c1c56baeaa < 52cecff98bda2c51eed1c6ce9d21c5d6268fb19daffected
LinuxLinux84b7625728ea311ea35bdaa0eded53c1c56baeaa < 27fdbab4221b375de54bf91919798d88520c6e28affected
LinuxLinux4.13affected
LinuxLinux0 < 4.13unaffected
LinuxLinux5.10.254 <= 5.10.*unaffected
LinuxLinux5.15.204 <= 5.15.*unaffected
LinuxLinux6.1.170 <= 6.1.*unaffected
LinuxLinux6.6.137 <= 6.6.*unaffected
LinuxLinux6.12.85 <= 6.12.*unaffected
LinuxLinux6.18.26 <= 6.18.*unaffected
LinuxLinux7.0.3 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References