PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31413 Linux CVE debrief

CVE-2026-31413 is a Linux kernel BPF verifier bug in maybe_fork_scalars() that can fork verifier state incorrectly for BPF_OR when the source operand is constant. The result is a verifier/runtime mismatch that can permit out-of-bounds map access. NVD rates the issue HIGH (CVSS 7.8) and lists patches for affected stable kernel lines.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-12
Original CVE updated
2026-05-20
Advisory published
2026-04-12
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and operators running affected kernel versions in the 6.12, 6.18, and 6.19 stable series should prioritize this issue, especially if BPF-related functionality is enabled or used on production systems.

Technical summary

The verifier’s scalar-forking logic treats both BPF_AND and BPF_OR the same when the source operand is constant. For a destination register with signed range [-1, 0], the current implementation can fork state so the pushed path tracks dst as 0. That is valid for AND, but incorrect for OR because 0 | K should evaluate to K, not 0. This creates a verifier/runtime divergence in the BPF execution model and can lead to out-of-bounds map access. The reported fix changes push_stack() to re-execute the ALU instruction on the pushed path, using env->insn_idx instead of env->insn_idx + 1, so the result is recomputed correctly for the opcode.

Defensive priority

High. This is a kernel memory-safety issue with local attack conditions and high confidentiality, integrity, and availability impact in NVD’s CVSS vector.

Recommended defensive actions

  • Apply the vendor/stable kernel patches referenced in the official git.kernel.org links.
  • Upgrade out of the vulnerable ranges listed by NVD: 6.12.75-6.12.79, 6.18.16-6.18.20, and 6.19.6-6.19.10.
  • Prioritize patching systems that expose or rely on BPF functionality in production.
  • Validate that your kernel builds include the relevant BPF verifier fixes from the upstream stable commits.
  • Track downstream distro advisories for backported fixes if you cannot move to a fully patched upstream release immediately.

Evidence notes

Source evidence comes from the CVE description and NVD metadata. The description states that maybe_fork_scalars() mishandles constant-source scalar forking for BPF_OR, creating a verifier/runtime divergence that can allow out-of-bounds map access. NVD marks the vulnerability as analyzed, assigns CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, lists CWE-125, and provides patch references on git.kernel.org. NVD’s vulnerable CPE criteria identify affected Linux kernel ranges in the 6.12, 6.18, and 6.19 stable series.

Official resources

CVE published at 2026-04-12T06:16:20.050Z and modified by NVD at 2026-05-20T15:49:24.983Z. No KEV listing is provided in the supplied data.