bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-31413
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-04-12 06:16:20 UTC
Updated2026-04-12 06:16:20 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected dea9989a3f3961faede93752cd81eb5a9514d911 342aa1ee995ef5bbf876096dc3a5e51218d76fa4 git Not specified
CNA Linux Linux affected 4c122e8ae14950cf6b59d208fc5160f7c601e746 58bd87d0e69204dbd739e4387a1edb0c4b1644e7 git Not specified
CNA Linux Linux affected e52567173ba86dbffb990595fbe60e2e83899372 d13281ae7ea8902b21d99d10a2c8caf0bdec0455 git Not specified
CNA Linux Linux affected bffacdb80b93b7b5e96b26fad64cc490a6c7d6c7 c845894ebd6fb43226b3118d6b017942550910c5 git Not specified
CNA Linux Linux affected 7.0-rc1 Not specified
CNA Linux Linux unaffected 7.0-rc1 semver Not specified
CNA Linux Linux unaffected 6.12.80 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.21 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.11 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0-rc5 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report