HIGH
xen BuildID Overflow
CVE-2026-31786
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid_show will read and copy till it finds a NUL. 00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| 00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| 00000017 So use a memcpy instead of sprintf to have the correct value: 00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| 00000010 b9 a8 01 42 |...B| 00000014 (the above have a hack to embed a zero inside and check it's returned correctly). This is XSA-485 / CVE-2026-31786
02KernelScan AI Analysis
Risk summary
A local attacker can trigger a buffer overflow by reading the Xen hypervisor build ID from sysfs. This could potentially lead to kernel memory corruption, denial of service, or privilege escalation. The vulnerability is limited to Xen guest systems and requires local access.
Vulnerability analysis
Summary: Buffer overflow in Xen hypervisor build ID sysfs interface due to treating binary data as null-terminated string
Root Cause: The buildid_show() function uses sprintf() to copy the hypervisor build ID into a buffer, incorrectly treating it as a null-terminated string. However, the build ID returned by HYPERVISOR_xen_version(XENVER_build_id) is binary data that is neither null-terminated nor guaranteed to be a valid string. The sprintf() function reads beyond the intended data until it finds a null byte, causing a buffer overflow.
Attack Surface: Local attack surface through the sysfs interface at /sys/hypervisor/properties/buildid. Requires local access to read the sysfs file, but no special privileges beyond basic file system access. Only affects systems running under Xen hypervisor.
Fix Mechanism: The patch replaces sprintf() with memcpy() to safely copy the exact number of bytes returned by the hypervisor call. It also adds a bounds check to ensure the returned length doesn't exceed PAGE_SIZE before allocation. This treats the build ID as binary data rather than a string, preventing the overflow.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.254 | e3af585e1728 |
| 5.15 | 5.15.204 | 8288d031a01d |
| 6.1 | 6.1.170 | f458ba102da9 |
| 6.12 | 6.12.85 | 5c5ff7c7bd15 |
| 6.18 | 6.18.26 | d5f59216650c |
| 6.6 | 6.6.137 | 4b4defd2fce3 |
| 7.0 | 7.0.3 | 52cecff98bda |
| mainline | 7.1-rc2 | 27fdbab4221b |