{"api_version":"1","generated_at":"2026-04-22T17:48:41+00:00","cve":"CVE-2026-31526","urls":{"html":"https://cve.report/CVE-2026-31526","api":"https://cve.report/api/cve/CVE-2026-31526.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31526","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31526"},"summary":{"title":"bpf: Fix exception exit lock checking for subprogs","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix exception exit lock checking for subprogs\n\nprocess_bpf_exit_full() passes check_lock = !curframe to\ncheck_resource_leak(), which is false in cases when bpf_throw() is\ncalled from a static subprog. This makes check_resource_leak() to skip\nvalidation of active_rcu_locks, active_preempt_locks, and\nactive_irq_id on exception exits from subprogs.\n\nAt runtime bpf_throw() unwinds the stack via ORC without releasing any\nuser-acquired locks, which may cause various issues as the result.\n\nFix by setting check_lock = true for exception exits regardless of\ncurframe, since exceptions bypass all intermediate frame\ncleanup. Update the error message prefix to \"bpf_throw\" for exception\nexits to distinguish them from normal BPF_EXIT.\n\nFix reject_subprog_with_rcu_read_lock test which was previously\npassing for the wrong reason. Test program returned directly from the\nsubprog call without closing the RCU section, so the error was\ntriggered by the unclosed RCU lock on normal exit, not by\nbpf_throw. Update __msg annotations for affected tests to match the\nnew \"bpf_throw\" error prefix.\n\nThe spin_lock case is not affected because they are already checked [1]\nat the call site in do_check_insn() before bpf_throw can run.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-22 14:16:52","updated_at":"2026-04-22 14:16:52"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/6c2128505f61b504c79a20b89596feba61388112","name":"https://git.kernel.org/stable/c/6c2128505f61b504c79a20b89596feba61388112","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c0281da1f2aa5c2fca3a05f79b86bea96591c358","name":"https://git.kernel.org/stable/c/c0281da1f2aa5c2fca3a05f79b86bea96591c358","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5a399f3117642494e35545f6ca397d3e177c1f9b","name":"https://git.kernel.org/stable/c/5a399f3117642494e35545f6ca397d3e177c1f9b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31526","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31526","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f18b03fabaa9b7c80e80b72a621f481f0d706ae0 c0281da1f2aa5c2fca3a05f79b86bea96591c358 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f18b03fabaa9b7c80e80b72a621f481f0d706ae0 5a399f3117642494e35545f6ca397d3e177c1f9b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f18b03fabaa9b7c80e80b72a621f481f0d706ae0 6c2128505f61b504c79a20b89596feba61388112 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.7","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.21 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.11 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["kernel/bpf/verifier.c","tools/testing/selftests/bpf/progs/exceptions_fail.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"c0281da1f2aa5c2fca3a05f79b86bea96591c358","status":"affected","version":"f18b03fabaa9b7c80e80b72a621f481f0d706ae0","versionType":"git"},{"lessThan":"5a399f3117642494e35545f6ca397d3e177c1f9b","status":"affected","version":"f18b03fabaa9b7c80e80b72a621f481f0d706ae0","versionType":"git"},{"lessThan":"6c2128505f61b504c79a20b89596feba61388112","status":"affected","version":"f18b03fabaa9b7c80e80b72a621f481f0d706ae0","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["kernel/bpf/verifier.c","tools/testing/selftests/bpf/progs/exceptions_fail.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.7"},{"lessThan":"6.7","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.21","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.11","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.21","versionStartIncluding":"6.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.11","versionStartIncluding":"6.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.7","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix exception exit lock checking for subprogs\n\nprocess_bpf_exit_full() passes check_lock = !curframe to\ncheck_resource_leak(), which is false in cases when bpf_throw() is\ncalled from a static subprog. This makes check_resource_leak() to skip\nvalidation of active_rcu_locks, active_preempt_locks, and\nactive_irq_id on exception exits from subprogs.\n\nAt runtime bpf_throw() unwinds the stack via ORC without releasing any\nuser-acquired locks, which may cause various issues as the result.\n\nFix by setting check_lock = true for exception exits regardless of\ncurframe, since exceptions bypass all intermediate frame\ncleanup. Update the error message prefix to \"bpf_throw\" for exception\nexits to distinguish them from normal BPF_EXIT.\n\nFix reject_subprog_with_rcu_read_lock test which was previously\npassing for the wrong reason. Test program returned directly from the\nsubprog call without closing the RCU section, so the error was\ntriggered by the unclosed RCU lock on normal exit, not by\nbpf_throw. Update __msg annotations for affected tests to match the\nnew \"bpf_throw\" error prefix.\n\nThe spin_lock case is not affected because they are already checked [1]\nat the call site in do_check_insn() before bpf_throw can run.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098"}],"providerMetadata":{"dateUpdated":"2026-04-22T13:54:39.800Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/c0281da1f2aa5c2fca3a05f79b86bea96591c358"},{"url":"https://git.kernel.org/stable/c/5a399f3117642494e35545f6ca397d3e177c1f9b"},{"url":"https://git.kernel.org/stable/c/6c2128505f61b504c79a20b89596feba61388112"}],"title":"bpf: Fix exception exit lock checking for subprogs","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31526","datePublished":"2026-04-22T13:54:39.800Z","dateReserved":"2026-03-09T15:48:24.111Z","dateUpdated":"2026-04-22T13:54:39.800Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 14:16:52","lastModifiedDate":"2026-04-22 14:16:52","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31526","Ordinal":"1","Title":"bpf: Fix exception exit lock checking for subprogs","CVE":"CVE-2026-31526","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31526","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix exception exit lock checking for subprogs\n\nprocess_bpf_exit_full() passes check_lock = !curframe to\ncheck_resource_leak(), which is false in cases when bpf_throw() is\ncalled from a static subprog. This makes check_resource_leak() to skip\nvalidation of active_rcu_locks, active_preempt_locks, and\nactive_irq_id on exception exits from subprogs.\n\nAt runtime bpf_throw() unwinds the stack via ORC without releasing any\nuser-acquired locks, which may cause various issues as the result.\n\nFix by setting check_lock = true for exception exits regardless of\ncurframe, since exceptions bypass all intermediate frame\ncleanup. Update the error message prefix to \"bpf_throw\" for exception\nexits to distinguish them from normal BPF_EXIT.\n\nFix reject_subprog_with_rcu_read_lock test which was previously\npassing for the wrong reason. Test program returned directly from the\nsubprog call without closing the RCU section, so the error was\ntriggered by the unclosed RCU lock on normal exit, not by\nbpf_throw. Update __msg annotations for affected tests to match the\nnew \"bpf_throw\" error prefix.\n\nThe spin_lock case is not affected because they are already checked [1]\nat the call site in do_check_insn() before bpf_throw can run.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098","Type":"Description","Title":"bpf: Fix exception exit lock checking for subprogs"}]}}}