Description
In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN

The BPF interpreter's signed 32-bit division and modulo handlers use
the kernel abs() macro on s32 operands. The abs() macro documentation
(include/linux/math.h) explicitly states the result is undefined when
the input is the type minimum. When DST contains S32_MIN (0x80000000),
abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged
on arm64/x86. This value is then sign-extended to u64 as
0xFFFFFFFF80000000, causing do_div() to compute the wrong result.

The verifier's abstract interpretation (scalar32_min_max_sdiv) computes
the mathematically correct result for range tracking, creating a
verifier/interpreter mismatch that can be exploited for out-of-bounds
map value access.

Introduce abs_s32() which handles S32_MIN correctly by casting to u32
before negating, avoiding signed overflow entirely. Replace all 8
abs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers.

s32 is the only affected case -- the s64 division/modulo handlers do
not use abs().
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Access
Action: Patch
AI Analysis

Impact

The vulnerability exploits undefined behavior in the Linux kernel’s eBPF interpreter when performing signed 32‑bit division or modulo on the INT_MIN value. The interpreter uses the abs() macro on that value, producing an undefined result that causes the division to compute an incorrect quotient. This mismatch between the interpreter and the verifier’s abstract interpretation creates an out‑of‑bounds map access path, which is inferred to potentially enable data leakage or denial of service.

Affected Systems

All Linux kernel releases prior to the introduction of the abs_s32 helper in the eBPF interpreter are affected. The code impact lies in the sdiv32 and smod32 handlers for signed 32‑bit operations. No specific release ranges are listed, so any kernel version lacking this patch remains vulnerable.

Risk and Exploitability

The CVSS base score of 7.8 indicates high severity. EPSS score indicates a very low exploitation probability (<1%) and the vulnerability is not listed in CISA’s KEV catalog. The flaw permits an out‑of‑bounds memory access path in the BPF interpreter when a signed 32‑bit division or modulo is performed with the INT_MIN value. The exact attack vector is not explicitly documented, but based on the description it is inferred that a malicious eBPF program that exercises the affected operation could trigger the error. The ability to load such a program is typically restricted to privileged users, so the threat is limited to environments where untrusted BPF code can be introduced. Administrators should treat the potential memory corruption as a high‑risk issue.

Generated by OpenCVE AI on April 29, 2026 at 01:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the abs_s32 patch and the updated sdiv/smod handlers.
  • If an immediate kernel update is not possible, restrict BPF program loading to trusted users or disable unnecessary BPF functionality via kernel configuration or sysctl settings.
  • Monitor for anomalous eBPF activity and apply relevant access controls to detect suspicious behavior.

Generated by OpenCVE AI on April 29, 2026 at 01:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 28 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Tue, 28 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN The BPF interpreter's signed 32-bit division and modulo handlers use the kernel abs() macro on s32 operands. The abs() macro documentation (include/linux/math.h) explicitly states the result is undefined when the input is the type minimum. When DST contains S32_MIN (0x80000000), abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged on arm64/x86. This value is then sign-extended to u64 as 0xFFFFFFFF80000000, causing do_div() to compute the wrong result. The verifier's abstract interpretation (scalar32_min_max_sdiv) computes the mathematically correct result for range tracking, creating a verifier/interpreter mismatch that can be exploited for out-of-bounds map value access. Introduce abs_s32() which handles S32_MIN correctly by casting to u32 before negating, avoiding signed overflow entirely. Replace all 8 abs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers. s32 is the only affected case -- the s64 division/modulo handlers do not use abs().
Title bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:10:28.981Z

Reserved: 2026-03-09T15:48:24.111Z

Link: CVE-2026-31525

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:52.607

Modified: 2026-04-28T18:06:24.583

Link: CVE-2026-31525

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31525 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:45:26Z

Weaknesses