bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR

maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the
source operand is a constant. When dst has signed range [-1, 0], it
forks the verifier state: the pushed path gets dst = 0, the current
path gets dst = -1.

For BPF_AND this is correct: 0 & K == 0.
For BPF_OR this is wrong: 0 | K == K, not 0.

The pushed path therefore tracks dst as 0 when the runtime value is K,
producing an exploitable verifier/runtime divergence that allows
out-of-bounds map access.

Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to
push_stack(), so the pushed path re-executes the ALU instruction with
dst = 0 and naturally computes the correct result for any opcode.

Basic Information

ID CVE-2026-31413

Source Linux

Published Apr 12, 2026 at 05:36

Modified Apr 27, 2026 at 14:02

Affected Product

Vendor Linux

Product Linux

Version dea9989a3f3961faede93752cd81eb5a9514d911

Affected Versions Linux Linux dea9989a3f3961faede93752cd81eb5a9514d911
Linux Linux 4c122e8ae14950cf6b59d208fc5160f7c601e746
Linux Linux e52567173ba86dbffb990595fbe60e2e83899372
Linux Linux bffacdb80b93b7b5e96b26fad64cc490a6c7d6c7
Linux Linux 6.12.75
Linux Linux 6.18.16
Linux Linux 6.19.6

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR\n\nmaybe_fork_scalars() is called for both BPF_AND and BPF_OR when the\nsource operand is a constant.  When dst has signed range [-1, 0], it\nforks the verifier state: the pushed path gets dst = 0, the current\npath gets dst = -1.\n\nFor BPF_AND this is correct: 0 & K == 0.\nFor BPF_OR this is wrong:    0 | K == K, not 0.\n\nThe pushed path therefore tracks dst as 0 when the runtime value is K,\nproducing an exploitable verifier/runtime divergence that allows\nout-of-bounds map access.\n\nFix this by passing env->insn_idx (instead of env->insn_idx + 1) to\npush_stack(), so the pushed path re-executes the ALU instruction with\ndst = 0 and naturally computes the correct result for any opcode.",
    "published": "2026-04-12T05:36:14.632Z",
    "modified": "2026-04-27T14:02:58.059Z",
    "type": "cve",
    "title": "bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4\nhttps://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7\nhttps://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455\nhttps://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5",
    "id": "CVE-2026-31413",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux dea9989a3f3961faede93752cd81eb5a9514d911\nLinux Linux 4c122e8ae14950cf6b59d208fc5160f7c601e746\nLinux Linux e52567173ba86dbffb990595fbe60e2e83899372\nLinux Linux bffacdb80b93b7b5e96b26fad64cc490a6c7d6c7\nLinux Linux 6.12.75\nLinux Linux 6.18.16\nLinux Linux 6.19.6",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "dea9989a3f3961faede93752cd81eb5a9514d911",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR_CVE-2026-31413

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply