2464096 – (CVE-2026-31786) CVE-2026-31786 kernel: Buffer overflow in drivers/xen/sys-hypervisor.c

Bug 2464096 (CVE-2026-31786) - CVE-2026-31786 kernel: Buffer overflow in drivers/xen/sys-hypervisor.c

Summary: CVE-2026-31786 kernel: Buffer overflow in drivers/xen/sys-hypervisor.c

Keywords:
Status:	NEW
Alias:	CVE-2026-31786
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-30 12:01 UTC by OSIDB Bzimport
Modified:	2026-06-08 12:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:24381	0	None	None	None	2026-06-08 12:55:48 UTC

Description OSIDB Bzimport 2026-04-30 12:01:38 UTC

In the Linux kernel, the following vulnerability has been resolved:

Buffer overflow in drivers/xen/sys-hypervisor.c

The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
neither NUL terminated nor a string.

The first causes a buffer overflow as sprintf in buildid_show will
read and copy till it finds a NUL.

00000000  f4 91 51 f4 dd 38 9e 9d  65 47 52 eb 10 71 db 50  |..Q..8..eGR..q.P|
00000010  b9 a8 01 42 6f 2e 32                              |...Bo.2|
00000017

So use a memcpy instead of sprintf to have the correct value:

00000000  f4 91 51 f4 dd 00 9e 9d  65 47 52 eb 10 71 db 50  |..Q.....eGR..q.P|
00000010  b9 a8 01 42                                       |...B|
00000014

(the above have a hack to embed a zero inside and check it's
returned correctly).

This is XSA-485 / CVE-2026-31786

Comment 1 Keith Grant 2026-05-01 14:37:19 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026043031-CVE-2026-31786-826a@gregkh/T

Comment 3 errata-xmlrpc 2026-06-08 12:55:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:24381 https://access.redhat.com/errata/RHSA-2026:24381

Note You need to log in before you can comment on or make changes to this bug.