CVE-2026-31742 Overview
CVE-2026-31742 is an out-of-bounds memory access vulnerability in the Linux kernel virtual terminal (vt) subsystem. The flaw resides in the alternate screen handling logic, where a stale unicode buffer can be restored after a console resize. When enter_alt_screen() saves vc_uni_lines into vc_saved_uni_lines and a subsequent vc_do_resize() runs while in the alternate screen, the saved buffer retains the original dimensions. After leave_alt_screen() restores the buffer, operations such as csi_J iterate using mismatched row and column counts, triggering a kernel oops.
Critical Impact
Local attackers can trigger an out-of-bounds read in the kernel (csi_J+0x133/0x2d0), causing system crashes and potential memory disclosure on affected Linux systems.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc5
- Linux Kernel 7.0-rc6
Discovery Timeline
- 2026-05-01 - CVE CVE-2026-31742 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31742
Vulnerability Analysis
The vulnerability is classified as an out-of-bounds read [CWE-125] in the Linux kernel virtual terminal driver. The vt subsystem maintains two unicode line buffers: vc_uni_lines for the active screen and vc_saved_uni_lines for state preserved while the alternate screen is in use. The bug stems from inconsistent state synchronization between these buffers when a terminal resize occurs during alternate screen mode.
When enter_alt_screen() executes, it transfers vc_uni_lines into vc_saved_uni_lines and nulls the active pointer. If userspace then resizes the console, vc_do_resize() checks vc_uni_lines and skips reallocation because the pointer is NULL. The saved buffer keeps its original geometry, for example 80x25, while vc_rows and vc_cols are updated to new dimensions such as 240x67.
Root Cause
The root cause is missing dimension validation when restoring the saved unicode buffer. leave_alt_screen() restores vc_saved_uni_lines to vc_uni_lines without verifying that the saved buffer's geometry matches the current vc_rows and vc_cols. The fix discards the stale saved buffer when console dimensions changed during alternate screen mode, allowing vc_uniscr_check() to lazily rebuild the unicode screen with correct dimensions.
Attack Vector
A local user with access to a virtual terminal can trigger the condition by entering the alternate screen, resizing the terminal, and exiting back to the primary screen. Subsequent screen-clearing operations such as csi_J iterate the unicode buffer using current dimensions while the underlying memory was allocated for the original dimensions. The faulting address 0x0000002000000020 corresponds to two adjacent u32 space characters interpreted as a pointer, demonstrating that out-of-bounds row pointer dereferences occur past the end of the original 25-entry pointer array.
The vulnerability mechanism is documented in the upstream commits. See the kernel patch commit 891d790fdb5c for the authoritative fix.
Detection Methods for CVE-2026-31742
Indicators of Compromise
- Kernel oops messages referencing csi_J+0x133/0x2d0 in dmesg or /var/log/kern.log.
- Page fault entries with addresses resembling repeated ASCII patterns such as 0x0000002000000020.
- Unexpected virtual terminal crashes following terminal resize operations within tmux, screen, or full-screen TUI applications.
Detection Strategies
- Monitor kernel logs for BUG: unable to handle page fault messages originating from the vt subsystem.
- Audit running kernel versions against the patched commits 40014493cece, 428fdf55301e, and 891d790fdb5c.
- Correlate local user sessions with kernel crash events involving virtual console drivers.
Monitoring Recommendations
- Forward kernel.* syslog facility entries to a centralized log platform for crash pattern analysis.
- Enable kdump to capture crash dumps for forensic review when the vt subsystem faults.
- Track unprivileged process activity on systems exposing physical or serial consoles.
How to Mitigate CVE-2026-31742
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the stable tree commits as soon as distribution packages become available.
- Inventory all Linux hosts running kernel 7.0-rc5, 7.0-rc6, and affected stable branches.
- Restrict local console access to trusted users on multi-user systems until patching completes.
Patch Information
The fix has been merged into the stable Linux kernel tree across three commits: 40014493cece, 428fdf55301e, and 891d790fdb5c. The patch modifies leave_alt_screen() to free the stale saved unicode buffer when console dimensions changed during alternate screen mode, allowing vc_uniscr_check() to rebuild the buffer with correct geometry on next use.
Workarounds
- Disable use of the kernel virtual terminal where feasible by booting with vga=normal or relying on serial consoles.
- Limit shell access on affected systems to reduce local attack surface until kernel updates are deployed.
- Avoid running interactive workloads that combine alternate screen applications with console resizing on unpatched kernels.
# Verify running kernel version and check for the fix
uname -r
# After updating, confirm the patched commit is included (distribution-specific)
rpm -q --changelog kernel | grep -i "vt: discard stale unicode buffer"
# or on Debian/Ubuntu
apt changelog linux-image-$(uname -r) | grep -i "vt: discard stale unicode buffer"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
