CVE-2026-31521

EUVD-2026-24907

22.04.2026, 14:16

In the Linux kernel, the following vulnerability has been resolved:

module: Fix kernel panic when a symbol st_shndx is out of bounds

The module loader doesn't check for bounds of the ELF section index in
simplify_symbols():

       for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
		const char *name = info->strtab + sym[i].st_name;

		switch (sym[i].st_shndx) {
		case SHN_COMMON:

		[...]

		default:
			/* Divert to percpu allocation if a percpu var. */
			if (sym[i].st_shndx == info->index.pcpu)
				secbase = (unsigned long)mod_percpu(mod);
			else
  /** HERE --> **/		secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
			sym[i].st_value += secbase;
			break;
		}
	}

A symbol with an out-of-bounds st_shndx value, for example 0xffff
(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:

  BUG: unable to handle page fault for address: ...
  RIP: 0010:simplify_symbols+0x2b2/0x480
  ...
  Kernel panic - not syncing: Fatal exception

This can happen when module ELF is legitimately using SHN_XINDEX or
when it is corrupted.

Add a bounds check in simplify_symbols() to validate that st_shndx is
within the valid range before using it.

This issue was discovered due to a bug in llvm-objcopy, see relevant
discussion for details [1].

[1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	2.6.12.1 ≤ 𝑥 < 5.15.203
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.168
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.131
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.80
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.21
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.11
linux	linux_kernel	2.6.12
linux	linux_kernel	2.6.12:rc2
linux	linux_kernel	2.6.12:rc3
linux	linux_kernel	2.6.12:rc4
linux	linux_kernel	2.6.12:rc5
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.174-1 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	7.0.10-1 fixed
sid	7.0.10-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-2 fixed

linux-6.1

bullseye (security)

6.1.174-1~deb11u1

fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsmaßnahmen zu umgehen, Informationen offenzulegen, andere nicht näher spezifizierte Auswirkungen zu verursachen und möglicherweise Code auszuführen.
Published: 2026-04-22T22:00:00+00:00

References

https://git.kernel.org/stable/c/082f15d2887329e0f43fd3727e69365f5bfe5d2c

https://git.kernel.org/stable/c/4bbdb0e48176fd281c2b9a211b110db6fd94e175

https://git.kernel.org/stable/c/5d16f519b6eb1d071807e57efe0df2baa8d32ad6

https://git.kernel.org/stable/c/6ba6957c640f58dc8ef046981a045da43e47ea23

https://git.kernel.org/stable/c/ec2b22a58073f80739013588af448ff6e2ab906f

https://git.kernel.org/stable/c/ef75dc1401d8e797ee51559a0dd0336c225e1776

https://git.kernel.org/stable/c/f9d69d5e7bde2295eb7488a56f094ac8f5383b92