Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR

maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the
source operand is a constant. When dst has signed range [-1, 0], it
forks the verifier state: the pushed path gets dst = 0, the current
path gets dst = -1.

For BPF_AND this is correct: 0 & K == 0.
For BPF_OR this is wrong: 0 | K == K, not 0.

The pushed path therefore tracks dst as 0 when the runtime value is K,
producing an exploitable verifier/runtime divergence that allows
out-of-bounds map access.

Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to
push_stack(), so the pushed path re-executes the ALU instruction with
dst = 0 and naturally computes the correct result for any opcode.
Published: 2026-04-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw exists in the Linux kernel's BPF verifier when the function maybe_fork_scalars handles BPF_OR instructions with constant operands. The verifier incorrectly forks scalar state, assigning a destination register a value of zero on a pushed path while the current path receives a signed value of minus one. For BPF_OR, this produces the wrong result, causing the verifier to diverge from real runtime execution and permitting an eBPF program to perform an out-of-bounds map access. The vulnerability is an instance of unsound scalar forking (CWE-131) and violations of buffer bounds (CWE-125) that can lead to memory corruption.

Affected Systems

All Linux kernel installations are potentially affected, though the CVE data does not specify particular kernel releases or version ranges. No version constraints are listed, so any kernel containing the vulnerable verified path code is at risk.

Risk and Exploitability

The likelihood of exploitation is low (EPSS < 1 %) and the vulnerability is not included in CISA’s KEV catalog. Nevertheless, because it allows a kernel developer or privileged user to craft an eBPF program that reads or writes beyond map bounds, it can lead to privilege escalation or denial of service. The likely attack vector is local, requiring the execution of a malicious eBPF program that uses the BPF_OR opcode on constant operands. Based on the description, it is inferred that the exploit requires an understanding of eBPF verifier internals; once the divergence is present, the attacker can exploit it without additional system compromise. The CVSS score of 7.8 indicates a high severity vulnerability.

Generated by OpenCVE AI on May 20, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the fix applied in commit 342aa1e
  • If an upgrade cannot be performed immediately, restrict the use of BPF programs that employ the BPF_OR opcode with constant operands, or disable BPF loading for untrusted users
  • Monitor system logs for anomalous eBPF activity that could indicate an attempt to exploit verifier/state divergence

Generated by OpenCVE AI on May 20, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 13 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References

Sun, 12 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.
Title bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:13.825Z

Reserved: 2026-03-09T15:48:24.087Z

Link: CVE-2026-31413

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T06:16:20.050

Modified: 2026-05-20T15:49:24.983

Link: CVE-2026-31413

cve-icon Redhat

Severity :

Publid Date: 2026-04-12T00:00:00Z

Links: CVE-2026-31413 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T18:15:26Z

Weaknesses