{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31786","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.141Z","datePublished":"2026-04-30T10:31:28.293Z","dateUpdated":"2026-05-11T22:15:47.090Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:15:47.090Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nBuffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000  f4 91 51 f4 dd 38 9e 9d  65 47 52 eb 10 71 db 50  |..Q..8..eGR..q.P|\n00000010  b9 a8 01 42 6f 2e 32                              |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000  f4 91 51 f4 dd 00 9e 9d  65 47 52 eb 10 71 db 50  |..Q.....eGR..q.P|\n00000010  b9 a8 01 42                                       |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it's\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/xen/sys-hypervisor.c"],"versions":[{"version":"84b7625728ea311ea35bdaa0eded53c1c56baeaa","lessThan":"e3af585e1728c917682b6a3de9a69b41fb9194d4","status":"affected","versionType":"git"},{"version":"84b7625728ea311ea35bdaa0eded53c1c56baeaa","lessThan":"8288d031a01dbacfde3fc643f7be3d23504de64d","status":"affected","versionType":"git"},{"version":"84b7625728ea311ea35bdaa0eded53c1c56baeaa","lessThan":"f458ba102da97fafca106327086fc95f3fc764cb","status":"affected","versionType":"git"},{"version":"84b7625728ea311ea35bdaa0eded53c1c56baeaa","lessThan":"4b4defd2fce3f966c25adabf46644a85558f1169","status":"affected","versionType":"git"},{"version":"84b7625728ea311ea35bdaa0eded53c1c56baeaa","lessThan":"5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a","status":"affected","versionType":"git"},{"version":"84b7625728ea311ea35bdaa0eded53c1c56baeaa","lessThan":"d5f59216650c51e5e3fcb7517c825bc8047f60ef","status":"affected","versionType":"git"},{"version":"84b7625728ea311ea35bdaa0eded53c1c56baeaa","lessThan":"52cecff98bda2c51eed1c6ce9d21c5d6268fb19d","status":"affected","versionType":"git"},{"version":"84b7625728ea311ea35bdaa0eded53c1c56baeaa","lessThan":"27fdbab4221b375de54bf91919798d88520c6e28","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/xen/sys-hypervisor.c"],"versions":[{"version":"4.13","status":"affected"},{"version":"0","lessThan":"4.13","status":"unaffected","versionType":"semver"},{"version":"5.10.254","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.204","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.170","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.137","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.85","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.26","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.3","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc2","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.10.254"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.15.204"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.1.170"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.6.137"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.12.85"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.18.26"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"7.0.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"7.1-rc2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4"},{"url":"https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d"},{"url":"https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb"},{"url":"https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169"},{"url":"https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a"},{"url":"https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef"},{"url":"https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d"},{"url":"https://git.kernel.org/stable/c/27fdbab4221b375de54bf91919798d88520c6e28"}],"title":"Buffer overflow in drivers/xen/sys-hypervisor.c","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/04/28/12"},{"url":"http://xenbits.xen.org/xsa/advisory-485.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-04-30T10:39:32.708Z"}}]}}