2457626 – (CVE-2026-31413) CVE-2026-31413 kernel: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR

Bug 2457626 (CVE-2026-31413) - CVE-2026-31413 kernel: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR

Summary: CVE-2026-31413 kernel: bpf: Fix unsound scalar forking in maybe_fork_scalars(...

Keywords:
Status:	NEW
Alias:	CVE-2026-31413
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-12 07:01 UTC by OSIDB Bzimport
Modified:	2026-04-13 09:09 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-12 07:01:17 UTC

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR

maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the
source operand is a constant.  When dst has signed range [-1, 0], it
forks the verifier state: the pushed path gets dst = 0, the current
path gets dst = -1.

For BPF_AND this is correct: 0 & K == 0.
For BPF_OR this is wrong:    0 | K == K, not 0.

The pushed path therefore tracks dst as 0 when the runtime value is K,
producing an exploitable verifier/runtime divergence that allows
out-of-bounds map access.

Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to
push_stack(), so the pushed path re-executes the ALU instruction with
dst = 0 and naturally computes the correct result for any opcode.

Comment 1 Alexander B 2026-04-13 09:06:35 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026041220-CVE-2026-31413-cce6@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.