HIGH
perf ACR OOB
CVE-2026-31782
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: perf/x86: Fix potential bad container_of in intel_pmu_hw_config Auto counter reload may have a group of events with software events present within it. The software event PMU isn't the x86_hybrid_pmu and a container_of operation in intel_pmu_set_acr_caused_constr (via the hybrid helper) could cause out of bound memory reads. Avoid this by guarding the call to intel_pmu_set_acr_caused_constr with an is_x86_event check.
02KernelScan AI Analysis
Risk summary
Systems with Intel x86 processors supporting Auto Counter Reload that allow perf event monitoring are at risk. Attackers with CAP_PERFMON or equivalent privileges can trigger out-of-bounds memory reads, potentially leaking sensitive kernel information or causing system crashes. Container environments and multi-tenant systems using performance monitoring are particularly exposed.
Vulnerability analysis
The vulnerability occurs in intel_pmu_hw_config() when processing perf event groups containing both hardware and software events. The code incorrectly applies container_of() operations to software events, treating their PMU structures as x86_hybrid_pmu when they have different layouts. This causes out-of-bounds memory reads when intel_pmu_set_acr_caused_constr() accesses fields beyond the actual structure boundaries. The fix adds proper type checking with is_x86_event() before the container_of operation. Attack surface is local-only, requiring perf_event_open syscall access with elevated privileges, but can be reached from user namespaces on systems with unprivileged perf events enabled.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.22 | e435a30ca6fe |
| 6.19 | 6.19.12 | bfee04838f63 |
| mainline | 7.0 | dbde07f06226 |