CVE-2026-31528 Overview
CVE-2026-31528 is an out-of-bounds memory access vulnerability [CWE-125] in the Linux kernel's perf subsystem. The flaw occurs when x86_pmu_del() performs an out-of-bounds read during transaction rollback after group_sched_in() fails. When a group leader is a software event, the transaction handlers of the wrong Performance Monitoring Unit (PMU) are invoked because inherit uses event->pmu rather than pmu_ctx->pmu to clone events. This undoes the move_group logic in perf_event_open() for inherited contexts, leading to memory safety violations during scheduling.
Critical Impact
A local authenticated attacker can trigger out-of-bounds memory access in the kernel perf subsystem, potentially affecting confidentiality, integrity, and availability of the host system.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc1 through 7.0-rc4
- Systems using the perf performance monitoring subsystem on x86 platforms
Discovery Timeline
- 2026-04-22 - CVE-2026-31528 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31528
Vulnerability Analysis
The vulnerability resides in the Linux kernel's perf event subsystem, specifically in how Performance Monitoring Unit (PMU) contexts are tracked across event inheritance and group scheduling. When group_sched_in() fails during a PMU transaction, the kernel must roll back partially scheduled events via x86_pmu_del(). The rollback relies on the correct PMU's transaction callbacks being invoked.
The issue arises when a group leader is a software event but the group contains hardware events. The move_group path in perf_event_open() correctly migrates the group into the hardware PMU context using pmu_ctx->pmu. However, the inheritance path clones child events using event->pmu directly, bypassing the pmu_ctx->pmu reference. This causes inherited counters to land in inconsistent PMU contexts.
Root Cause
The root cause is inconsistent use of PMU references across the perf subsystem. The inherit_event() code path uses event->pmu when cloning events for child tasks, while group scheduling and event open paths use pmu_ctx->pmu. This mismatch results in __perf_event_read() and transaction handlers operating on the wrong PMU structure during group operations, producing an out-of-bounds read [CWE-125] when indexing PMU-specific arrays.
Attack Vector
Exploitation requires local access with low privileges and no user interaction. An attacker with permission to invoke perf_event_open() can construct a software-led event group containing hardware events, then trigger inheritance through fork() or clone(). When the inherited group is scheduled and rollback occurs, the wrong PMU's transaction handler reads outside the bounds of the intended PMU state, corrupting kernel memory tracking. The vulnerability affects systems where unprivileged perf usage is permitted via kernel.perf_event_paranoid.
No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-31528
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing x86_pmu_del, group_sched_in, or __perf_event_read in dmesg output
- KASAN (Kernel Address Sanitizer) reports flagging out-of-bounds reads in the perf subsystem
- Processes invoking perf_event_open() followed by rapid fork() activity creating inherited counters
Detection Strategies
- Monitor audit logs for perf_event_open syscall usage by non-root users and correlate with subsequent process forks
- Enable kernel lockdown and KASAN in test environments to surface out-of-bounds accesses before production exposure
- Track abnormal kernel crash patterns on systems where kernel.perf_event_paranoid is set permissively
Monitoring Recommendations
- Collect kernel ring buffer logs centrally and alert on stack traces containing perf-related symbols
- Inventory hosts running affected kernel versions, prioritizing multi-tenant Linux systems and container hosts
- Baseline normal perf usage to identify outlier processes exercising group scheduling paths
How to Mitigate CVE-2026-31528
Immediate Actions Required
- Apply the upstream stable kernel patches referenced below as soon as vendor packages become available
- Restrict unprivileged access to perf_event_open() by setting kernel.perf_event_paranoid to 3 where supported
- Audit which users and containers require perf access and remove the CAP_PERFMON capability from workloads that do not need it
Patch Information
The fix ensures that both the inheritance path and __perf_event_read() use pmu_ctx->pmu instead of event->pmu for group operations, keeping all inherited counters in the same PMU context. Patches are available in the upstream stable tree:
- Linux Kernel Commit 35f7914
- Linux Kernel Commit 3a696e8
- Linux Kernel Commit 4b9ce67
- Linux Kernel Commit 4c75944
- Linux Kernel Commit 656f35b
Workarounds
- Set kernel.perf_event_paranoid=3 via sysctl to block unprivileged perf_event_open() calls until patches are deployed
- Remove CAP_PERFMON and CAP_SYS_ADMIN from container security profiles to prevent guest workloads from triggering the code path
- Disable nested perf group creation for untrusted users via seccomp filters that block perf_event_open syscalls
# Configuration example
# Restrict perf_event_open to root only
sudo sysctl -w kernel.perf_event_paranoid=3
echo 'kernel.perf_event_paranoid=3' | sudo tee /etc/sysctl.d/10-perf-restrict.conf
# Verify the setting
sysctl kernel.perf_event_paranoid
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

