Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Out-of-bounds read in Linux kernel Xen sysfs buildid handling

IdentifiersCVE-2026-31786CWE-126

CVE-2026-31786 (XSA-485) is a Linux kernel vulnerability in drivers/xen/sys-hypervisor.c affecting the sysfs exposure of the Xen build ID via /sys/hypervisor/properties/buildid. The Xen hypervisor returns the build ID as binary data that is neither NUL-terminated nor a string. The vulnerable kernel code used sprintf() in buildid_show to copy this value into the sysfs output buffer, causing the kernel to continue reading memory until a zero byte is encountered. This results in an out-of-bounds read from kernel memory. The fix replaces sprintf() with memcpy() so the exact binary length is copied without string interpretation. Supporting advisory text also notes that, in rare cases where no zero byte is encountered within the following sysfs buffer region, the bug may also lead to a write past the 4 KB sysfs buffer.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can disclose adjacent kernel memory contents to a local user able to read the Xen-related sysfs file, potentially exposing sensitive kernel data or secrets. According to XSA-485, the flaw may also enable denial of service and, in rare cases, privilege escalation within Linux Xen domains. The advisory further notes a low-probability scenario in which memory beyond the 4 KB sysfs buffer could be overwritten, increasing the risk beyond pure information disclosure.

Mitigation

If you can’t patch tonight, do this now.

No known mitigation is available short of applying the vendor patch. Where immediate patching is not possible, reducing untrusted local access within affected Linux Xen domains may reduce exposure, but the advisory explicitly states there is no known mitigation.

Remediation

Patch, then assume compromise.

Apply the Linux kernel patch from XSA-485 that changes the vulnerable handling in drivers/xen/sys-hypervisor.c/buildid_show from sprintf() to memcpy(), ensuring the Xen build ID is copied as fixed-length binary data rather than treated as a NUL-terminated string. Update to a kernel build that includes the CVE-2026-31786 fix. Xen identifies the patch as xsa485-linux.patch.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system
Rocky LinuxKerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31786
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31786
MITRE CWE · CWE-126
cwe.mitre.org
Patch
git.kernel.org/stable/c/27fdbab4221b375de54bf91919798d88520c6e28
Patch
git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169
Patch
git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d
Patch
git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a
Patch
git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d
Patch
git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef
Patch
git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4
Patch
git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb
Third Party Advisory
openwall.com/lists/oss-security/2026/04/28/12
+1 more reference
view more in app