CVE-2026-31525 Overview
CVE-2026-31525 is a Linux kernel vulnerability in the Berkeley Packet Filter (BPF) interpreter. The flaw resides in the signed 32-bit division (sdiv32) and modulo (smod32) handlers. These handlers invoke the kernel abs() macro on s32 operands, which produces undefined behavior when the input equals S32_MIN (0x80000000). The undefined result creates a mismatch between the BPF verifier's abstract interpretation and runtime execution. A local attacker with the ability to load BPF programs can exploit this verifier/interpreter divergence to perform out-of-bounds access to BPF map values [CWE-787].
Critical Impact
Local attackers can exploit the verifier/interpreter mismatch to achieve out-of-bounds map value access, potentially leading to memory corruption and local privilege escalation.
Affected Products
- Linux Kernel 7.0-rc1
- Linux Kernel 7.0-rc2
- Linux Kernel 7.0-rc3 and 7.0-rc4
Discovery Timeline
- 2026-04-22 - CVE-2026-31525 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31525
Vulnerability Analysis
The BPF interpreter implements signed 32-bit division and modulo via the kernel abs() macro applied to s32 operands. The abs() macro, defined in include/linux/math.h, explicitly documents that its result is undefined when the input equals the type minimum value. When the destination register DST contains S32_MIN (0x80000000), abs((s32)DST) triggers signed integer overflow.
On arm64 and x86, the operation returns S32_MIN unchanged. The interpreter then sign-extends this value to u64, producing 0xFFFFFFFF80000000. The subsequent do_div() call computes an incorrect quotient or remainder using this corrupted operand.
The BPF verifier performs abstract interpretation in scalar32_min_max_sdiv and computes the mathematically correct division result for range tracking. The verifier therefore approves the program based on bounds that the interpreter does not honor at runtime.
Root Cause
The root cause is undefined behavior in signed integer negation. Negating INT_MIN in two's-complement arithmetic cannot be represented as a positive s32. The kernel abs() macro does not guard against this case. The fix introduces abs_s32(), which casts the operand to u32 before negation, eliminating signed overflow. The patch replaces all eight abs((s32)...) call sites within the sdiv32 and smod32 handlers. The 64-bit division and modulo handlers are unaffected because they do not use abs().
Attack Vector
Exploitation requires local access and the privilege to load BPF programs. The attacker crafts a BPF program containing a signed 32-bit division or modulo where the dividend can equal S32_MIN. The verifier computes valid bounds for the quotient using correct arithmetic. The interpreter then computes a different result at runtime, allowing the attacker to derive a scalar value outside the verifier-approved range. This out-of-range scalar can be used to index into a BPF map value, producing an out-of-bounds read or write within kernel memory.
The vulnerability requires the BPF interpreter to be active, which occurs when the BPF JIT is disabled or unavailable for the target architecture configuration.
Detection Methods for CVE-2026-31525
Indicators of Compromise
- Unexpected loading of BPF programs by non-root users on systems where kernel.unprivileged_bpf_disabled is set to 0.
- BPF programs that contain BPF_ALU | BPF_DIV | BPF_K or BPF_ALU | BPF_MOD | BPF_K opcodes with operands approaching S32_MIN.
- Kernel oops or memory corruption traces originating from BPF map value accesses.
- Audit log entries showing bpf() syscall activity from unprivileged contexts.
Detection Strategies
- Audit bpf() syscall invocations via the Linux audit subsystem and correlate with the calling UID.
- Inspect loaded BPF programs using bpftool prog dump xlated to identify suspicious signed division or modulo instructions.
- Monitor for kernel address space anomalies and unexpected map value reads outside expected bounds using KASAN-instrumented kernels in test environments.
Monitoring Recommendations
- Forward kernel audit and dmesg output to a centralized logging platform for retention and correlation.
- Track the value of /proc/sys/kernel/unprivileged_bpf_disabled and alert on changes.
- Baseline legitimate BPF program loaders such as systemd, container runtimes, and observability agents, and flag deviations.
How to Mitigate CVE-2026-31525
Immediate Actions Required
- Apply the upstream kernel patches referenced in the Linux Kernel Commit 0d5d8c3 and related stable tree commits.
- Disable unprivileged BPF program loading by setting kernel.unprivileged_bpf_disabled=1 until patches are deployed.
- Restrict CAP_BPF and CAP_SYS_ADMIN capabilities to trusted system services only.
Patch Information
The fix introduces an abs_s32() helper that casts the s32 operand to u32 before negation, avoiding signed overflow on S32_MIN. All eight call sites in the sdiv32 and smod32 interpreter handlers are updated. Refer to the upstream commits: 0d5d8c3, 694ea55, 9ab1227, c77b30b, and f14ca60.
Workarounds
- Set kernel.unprivileged_bpf_disabled=1 via sysctl to prevent unprivileged users from loading BPF programs.
- Enable the BPF JIT compiler via net.core.bpf_jit_enable=1 where supported, since only the interpreter path is affected.
- Apply seccomp or LSM policies to deny the bpf() syscall to untrusted workloads and container processes.
# Configuration example
sysctl -w kernel.unprivileged_bpf_disabled=1
sysctl -w net.core.bpf_jit_enable=1
echo 'kernel.unprivileged_bpf_disabled=1' >> /etc/sysctl.d/99-bpf-hardening.conf
echo 'net.core.bpf_jit_enable=1' >> /etc/sysctl.d/99-bpf-hardening.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
