CVE-2026-31525: Linux Kernel Privilege Escalation Flaw

Get StartedContact Us

Vulnerability Database/CVE-2026-31525<br>CVE-2026-31525: Linux Kernel Privilege Escalation Flaw<br>CVE-2026-31525 is a privilege escalation vulnerability in the Linux Kernel BPF interpreter affecting signed division operations. This flaw allows attackers to exploit undefined behavior for unauthorized access.<br>Updated: May 14, 2026

CVE-2026-31525 Overview<br>CVE-2026-31525 is a Linux kernel vulnerability in the Berkeley Packet Filter (BPF) interpreter. The flaw resides in the signed 32-bit division (sdiv32) and modulo (smod32) handlers. These handlers invoke the kernel abs() macro on s32 operands, which produces undefined behavior when the input equals S32_MIN (0x80000000). The undefined result creates a mismatch between the BPF verifier's abstract interpretation and runtime execution. A local attacker with the ability to load BPF programs can exploit this verifier/interpreter divergence to perform out-of-bounds access to BPF map values [CWE-787].<br>Critical Impact<br>Local attackers can exploit the verifier/interpreter mismatch to achieve out-of-bounds map value access, potentially leading to memory corruption and local privilege escalation.

Affected Products<br>Linux Kernel 7.0-rc1<br>Linux Kernel 7.0-rc2<br>Linux Kernel 7.0-rc3 and 7.0-rc4<br>Discovery Timeline<br>2026-04-22 - CVE-2026-31525 published to NVD<br>2026-04-28 - Last updated in NVD database<br>Technical Details for CVE-2026-31525<br>Vulnerability Analysis<br>The BPF interpreter implements signed 32-bit division and modulo via the kernel abs() macro applied to s32 operands. The abs() macro, defined in include/linux/math.h, explicitly documents that its result is undefined when the input equals the type minimum value. When the destination register DST contains S32_MIN (0x80000000), abs((s32)DST) triggers signed integer overflow.<br>On arm64 and x86, the operation returns S32_MIN unchanged. The interpreter then sign-extends this value to u64, producing 0xFFFFFFFF80000000. The subsequent do_div() call computes an incorrect quotient or remainder using this corrupted operand.<br>The BPF verifier performs abstract interpretation in scalar32_min_max_sdiv and computes the mathematically correct division result for range tracking. The verifier therefore approves the program based on bounds that the interpreter does not honor at runtime.<br>Root Cause<br>The root cause is undefined behavior in signed integer negation. Negating INT_MIN in two's-complement arithmetic cannot be represented as a positive s32. The kernel abs() macro does not guard against this case. The fix introduces abs_s32(), which casts the operand to u32 before negation, eliminating signed overflow. The patch replaces all eight abs((s32)...) call sites within the sdiv32 and smod32 handlers. The 64-bit division and modulo handlers are unaffected because they do not use abs().<br>Attack Vector<br>Exploitation requires local access and the privilege to load BPF programs. The attacker crafts a BPF program containing a signed 32-bit division or modulo where the dividend can equal S32_MIN. The verifier computes valid bounds for the quotient using correct arithmetic. The interpreter then computes a different result at runtime, allowing the attacker to derive a scalar value outside the verifier-approved range. This out-of-range scalar can be used to index into a BPF map value, producing an out-of-bounds read or write within kernel memory.<br>The vulnerability requires the BPF interpreter to be active, which occurs when the BPF JIT is disabled or unavailable for the target architecture configuration.<br>Detection Methods for CVE-2026-31525<br>Indicators of Compromise<br>Unexpected loading of BPF programs by non-root users on systems where kernel.unprivileged_bpf_disabled is set to 0.<br>BPF programs that contain BPF_ALU | BPF_DIV | BPF_K or BPF_ALU | BPF_MOD | BPF_K opcodes with operands approaching S32_MIN.<br>Kernel oops or memory corruption traces originating from BPF map value accesses.<br>Audit log entries showing bpf() syscall activity from unprivileged contexts.<br>Detection Strategies<br>Audit bpf() syscall invocations via the Linux audit subsystem and correlate with the calling UID.<br>Inspect loaded BPF programs using bpftool prog dump xlated to identify suspicious signed division or modulo instructions.<br>Monitor for kernel address space anomalies and unexpected map value reads outside expected bounds using KASAN-instrumented kernels in test environments.<br>Monitoring Recommendations<br>Forward kernel audit and dmesg output to a centralized logging platform for retention and correlation.<br>Track the value of /proc/sys/kernel/unprivileged_bpf_disabled and alert on changes.<br>Baseline legitimate BPF program loaders such as systemd, container runtimes, and observability agents, and flag deviations.<br>How to Mitigate CVE-2026-31525<br>Immediate Actions Required<br>Apply the upstream kernel patches referenced in the Linux Kernel Commit 0d5d8c3 and related stable tree commits.<br>Disable unprivileged BPF program loading...