Description
In the Linux kernel, the following vulnerability has been resolved:

X.509: Fix out-of-bounds access when parsing extensions

Leo reports an out-of-bounds access when parsing a certificate with
empty Basic Constraints or Key Usage extension because the first byte of
the extension is read before checking its length. Fix it.

The bug can be triggered by an unprivileged user by submitting a
specially crafted certificate to the kernel through the keyrings(7) API.
Leo has demonstrated this with a proof-of-concept program responsibly
disclosed off-list.
Published: 2026-04-20
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The kernel performs an X.509 extension parse that reads the first byte of a certificate extension before verifying its length, which causes an out‑of‑bounds read when a certificate contains an empty Basic Constraints or Key Usage extension. An attacker can exploit this by submitting a crafted certificate to the keyrings(7) API, enabling an unprivileged local user to read beyond the intended buffer boundary. The resulting memory read may reveal sensitive kernel data, leading to information disclosure. The vulnerability is not confirmed to allow privilege escalation, but the exposed kernel memory could be leveraged as a pivot for further attacks.

Affected Systems

Linux kernel distributions that have not yet incorporated the patch that fixes the out‑of‑bounds read when parsing X.509 extensions. The exact affected kernel versions are not listed; the fix applies to any kernel that contains the vulnerable code path identified in the CPE entry for Linux kernel.

Risk and Exploitability

The flaw is local, requiring the attacker to have a user account and access to the keyrings API. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because the vulnerability permits reading kernel memory, it poses a high risk of information disclosure for systems where the kernel is compromised. The likely attack vector is an unprivileged local user submitting a malicious certificate via the keyring interface.

Generated by OpenCVE AI on April 20, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel update that contains the out‑of‑bounds read mitigation for X.509 extensions.
  • Restrict keyring operations to privileged users or disable the keyring service until the patch is applied.
  • Reboot the system to ensure the updated kernel is running.

Generated by OpenCVE AI on April 20, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: X.509: Fix out-of-bounds access when parsing extensions Leo reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before checking its length. Fix it. The bug can be triggered by an unprivileged user by submitting a specially crafted certificate to the kernel through the keyrings(7) API. Leo has demonstrated this with a proof-of-concept program responsibly disclosed off-list.
Title X.509: Fix out-of-bounds access when parsing extensions
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-20T09:43:03.919Z

Reserved: 2026-03-09T15:48:24.089Z

Link: CVE-2026-31430

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T10:16:16.877

Modified: 2026-04-20T10:16:16.877

Link: CVE-2026-31430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T13:00:07Z

Weaknesses

No weakness.