Description
In the Linux kernel, the following vulnerability has been resolved:

Buffer overflow in drivers/xen/sys-hypervisor.c

The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
neither NUL terminated nor a string.

The first causes a buffer overflow as sprintf in buildid_show will
read and copy till it finds a NUL.

00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
00000017

So use a memcpy instead of sprintf to have the correct value:

00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
00000010 b9 a8 01 42 |...B|
00000014

(the above have a hack to embed a zero inside and check it's
returned correctly).

This is XSA-485 / CVE-2026-31786
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a buffer overflow in drivers/xen/sys-hypervisor.c. The function handling the Xen hypervisor interface returns a build ID string that is not NUL terminated. A subsequent sprintf in buildid_show copies data until it finds a null byte, which can read past the intended buffer and overwrite memory. This overflow can cause kernel memory corruption and potentially a crash or system instability. This issue corresponds to CWE-170 (Improper Null Termination) and CWE-787 (Out-of-Bounds Write).

Affected Systems

Affected systems include all Linux kernel installations that contain the Xen hypervisor driver and have not yet applied the patch that replaces the sprintf with a memcpy. The vulnerability may exist in any distribution that ships the unmodified kernel source for drivers/xen/sys-hypervisor.c; no specific version range is provided in the CNA data. Kernel builds that include the updated code are immune.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity while the EPSS score of <1% and absence from the CISA KEV indicate that exploitation on the Internet is unlikely at present. The likely attack vector is through the Xen hypervisor interface, which an attacker may access from a privileged guest or by running code with hypervisor privileges. Based on the description, it is inferred that an attacker must be able to trigger the HYPERVISOR_xen_version hypercall to cause the overflow. If achieved, the attacker could gain arbitrary kernel memory corruption, elevating privileges or inducing denial of service. The overall risk is therefore moderate to high with low likelihood of exploitation.

Generated by OpenCVE AI on May 6, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel release that includes the memcpy change in drivers/xen/sys-hypervisor.c to prevent the buffer overflow.
  • If an immediate update cannot be applied, temporarily disable or restrict access to the Xen hypervisor interface until the patch is installed.
  • Deploy the patched kernel in a controlled manner and monitor system stability to detect any exploitation attempts.

Generated by OpenCVE AI on May 6, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*

Mon, 04 May 2026 08:45:00 +0000

Type Values Removed Values Added
References

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 30 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-170

Thu, 30 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid_show will read and copy till it finds a NUL. 00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| 00000017 So use a memcpy instead of sprintf to have the correct value: 00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| 00000010 b9 a8 01 42 |...B| 00000014 (the above have a hack to embed a zero inside and check it's returned correctly). This is XSA-485 / CVE-2026-31786
Title Buffer overflow in drivers/xen/sys-hypervisor.c
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:47.090Z

Reserved: 2026-03-09T15:48:24.141Z

Link: CVE-2026-31786

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T11:16:20.967

Modified: 2026-05-06T19:44:30.693

Link: CVE-2026-31786

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-30T00:00:00Z

Links: CVE-2026-31786 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T21:15:13Z

Weaknesses