CVE-2026-31786 - Vulnerability Details

- Buffer overflow in drivers/xen/sys-hypervisor.c

Description

In the Linux kernel, the following vulnerability has been resolved:

Buffer overflow in drivers/xen/sys-hypervisor.c

The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
neither NUL terminated nor a string.

The first causes a buffer overflow as sprintf in buildid_show will
read and copy till it finds a NUL.

00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
00000017

So use a memcpy instead of sprintf to have the correct value:

00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
00000010 b9 a8 01 42 |...B|
00000014

(the above have a hack to embed a zero inside and check it's
returned correctly).

This is XSA-485 / CVE-2026-31786

Published: 2026-04-30

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel contains a buffer overflow in drivers/xen/sys-hypervisor.c. A non‑NULL‑terminated string returned by HYPERVISOR_xen_version causes the sprintf in buildid_show to read past the intended data and copy until it finds a null byte, leading to a memory corruption. This flaw enables an attacker to overwrite kernel memory controls, potentially allowing arbitrary code execution with kernel privileges.

Affected Systems

All Linux kernel installations that include the Xen hypervisor driver are affected, regardless of vendor distribution. The vulnerability is present in the kernel source for any distribution that has not yet patched the sys-hypervisor.c change.

Risk and Exploitability

The CVSS score is not provided, but a buffer overflow in kernel space is typically high‑severity. EPSS is unavailable, and the vulnerability is not listed in the CISA KEV catalog at this time. An attacker would need the ability to invoke the Xen hypervisor interface, which may be reachable remotely from a guest or locally via privileged code. Successful exploitation would likely result in a hard kernel crash or privilege escalation to the kernel level.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e3af585e1728c917682b6a3de9a69b41fb9194d4
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 8288d031a01dbacfde3fc643f7be3d23504de64d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f458ba102da97fafca106327086fc95f3fc764cb
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4b4defd2fce3f966c25adabf46644a85558f1169
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d5f59216650c51e5e3fcb7517c825bc8047f60ef
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 52cecff98bda2c51eed1c6ce9d21c5d6268fb19d

Linux

affected

Version	Status	Constraints
`5.10.254`	unaffected	≤ 5.10.*
`5.15.204`	unaffected	≤ 5.15.*
`6.1.170`	unaffected	≤ 6.1.*
`6.6.137`	unaffected	≤ 6.6.*
`6.12.85`	unaffected	≤ 6.12.*
`6.18.26`	unaffected	≤ 6.18.*
`7.0.3`	unaffected	≤ 7.0.*

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e3af585e1728c917682b6a3de9a69b41fb9194d4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8288d031a01dbacfde3fc643f7be3d23504de64d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f458ba102da97fafca106327086fc95f3fc764cb)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4b4defd2fce3f966c25adabf46644a85558f1169)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d5f59216650c51e5e3fcb7517c825bc8047f60ef)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,52cecff98bda2c51eed1c6ce9d21c5d6268fb19d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.254,5.11.0)`	unaffected	semver	—
`[5.15.204,5.16.0)`	unaffected	semver	—
`[6.1.170,6.2.0)`	unaffected	semver	—
`[6.6.137,6.7.0)`	unaffected	semver	—
`[6.12.85,6.13.0)`	unaffected	semver	—
`[6.18.26,6.19.0)`	unaffected	semver	—
`[7.0.3,7.1.0)`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that replaces the vulnerable sprintf with a memcpy in drivers/xen/sys-hypervisor.c
Disable or restrict access to the Xen hypervisor interface until the update is installed
Deploy the updated kernel in a staged manner and monitor for stability or further advisories

Generated by OpenCVE AI on April 30, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/28/12
http://xenbits.xen.org/xsa/advisory-485.html
https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169
https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d
https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a
https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d
https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef
https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4
https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb
https://lore.kernel.org/linux-cve-announce/2026043031-CVE-2026-31786-826a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31786
https://www.cve.org/CVERecord?id=CVE-2026-31786

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026043031-CVE-2026-31786-826a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31786 https://www.cve.org/CVERecord?id=CVE-2026-31786
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Thu, 30 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-170

Thu, 30 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/28/12 http://xenbits.xen.org/xsa/advisory-485.html

Thu, 30 Apr 2026 11:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid_show will read and copy till it finds a NUL. 00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 \|..Q..8..eGR..q.P\| 00000010 b9 a8 01 42 6f 2e 32 \|...Bo.2\| 00000017 So use a memcpy instead of sprintf to have the correct value: 00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 \|..Q.....eGR..q.P\| 00000010 b9 a8 01 42 \|...B\| 00000014 (the above have a hack to embed a zero inside and check it's returned correctly). This is XSA-485 / CVE-2026-31786
Title		Buffer overflow in drivers/xen/sys-hypervisor.c
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169 https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4 https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-30T10:31:28.293Z

Updated: 2026-04-30T10:39:32.708Z

Reserved: 2026-03-09T15:48:24.141Z

Link: CVE-2026-31786

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-30T11:16:20.967

Modified: 2026-04-30T17:11:25.563

Link: CVE-2026-31786

Redhat

Severity : Important

Publid Date: 2026-04-30T00:00:00Z

Links: CVE-2026-31786 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-30T13:45:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object