{"id":"CVE-2026-31525","summary":"bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN\n\nThe BPF interpreter's signed 32-bit division and modulo handlers use\nthe kernel abs() macro on s32 operands. The abs() macro documentation\n(include/linux/math.h) explicitly states the result is undefined when\nthe input is the type minimum. When DST contains S32_MIN (0x80000000),\nabs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged\non arm64/x86. This value is then sign-extended to u64 as\n0xFFFFFFFF80000000, causing do_div() to compute the wrong result.\n\nThe verifier's abstract interpretation (scalar32_min_max_sdiv) computes\nthe mathematically correct result for range tracking, creating a\nverifier/interpreter mismatch that can be exploited for out-of-bounds\nmap value access.\n\nIntroduce abs_s32() which handles S32_MIN correctly by casting to u32\nbefore negating, avoiding signed overflow entirely. Replace all 8\nabs((s32)...) call sites in the interpreter's sdiv32/smod32 handlers.\n\ns32 is the only affected case -- the s64 division/modulo handlers do\nnot use abs().","modified":"2026-05-18T05:59:50.167919600Z","published":"2026-04-22T13:54:39.144Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31525.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0d5d8c3ce45c734aaf3c51cbef59155a6746157d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/694ea55f1b1c74f9942d91ec366ae9e822422e42"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9ab1227765c446942f290c83382f0b19887c55cf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c77b30bd1dcb61f66c640ff7d2757816210c7cb0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f14ca604c0ff274fba19f73f1f0485c0047c1396"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31525.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31525"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ec0e2da95f72d4a46050a4d994e4fe471474fd80"},{"fixed":"694ea55f1b1c74f9942d91ec366ae9e822422e42"},{"fixed":"9ab1227765c446942f290c83382f0b19887c55cf"},{"fixed":"f14ca604c0ff274fba19f73f1f0485c0047c1396"},{"fixed":"0d5d8c3ce45c734aaf3c51cbef59155a6746157d"},{"fixed":"c77b30bd1dcb61f66c640ff7d2757816210c7cb0"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31525.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.6.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31525.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}