{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31430", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.089Z", "datePublished": "2026-04-20T09:43:03.919Z", "dateUpdated": "2026-04-20T09:43:03.919Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-20T09:43:03.919Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nX.509: Fix out-of-bounds access when parsing extensions\n\nLeo reports an out-of-bounds access when parsing a certificate with\nempty Basic Constraints or Key Usage extension because the first byte of\nthe extension is read before checking its length. Fix it.\n\nThe bug can be triggered by an unprivileged user by submitting a\nspecially crafted certificate to the kernel through the keyrings(7) API.\nLeo has demonstrated this with a proof-of-concept program responsibly\ndisclosed off-list."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["crypto/asymmetric_keys/x509_cert_parser.c"], "versions": [{"version": "30eae2b037af54b24109dcaea21db46f6285c69b", "lessThan": "672b526def1f94c1be8eb11b885b803da0d8c2f1", "status": "affected", "versionType": "git"}, {"version": "30eae2b037af54b24109dcaea21db46f6285c69b", "lessThan": "30ab358fad0c7daa1d282ec48089901b21b36a20", "status": "affected", "versionType": "git"}, {"version": "30eae2b037af54b24109dcaea21db46f6285c69b", "lessThan": "206121294b9cf27f0589857f80d64f87e496ffb2", "status": "affected", "versionType": "git"}, {"version": "30eae2b037af54b24109dcaea21db46f6285c69b", "lessThan": "7fb4dadc2734f4020d7543d688b8d49c8e569c61", "status": "affected", "versionType": "git"}, {"version": "30eae2b037af54b24109dcaea21db46f6285c69b", "lessThan": "d702c3408213bb12bd570bb97204d8340d141c51", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["crypto/asymmetric_keys/x509_cert_parser.c"], "versions": [{"version": "6.4", "status": "affected"}, {"version": "0", "lessThan": "6.4", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/672b526def1f94c1be8eb11b885b803da0d8c2f1"}, {"url": "https://git.kernel.org/stable/c/30ab358fad0c7daa1d282ec48089901b21b36a20"}, {"url": "https://git.kernel.org/stable/c/206121294b9cf27f0589857f80d64f87e496ffb2"}, {"url": "https://git.kernel.org/stable/c/7fb4dadc2734f4020d7543d688b8d49c8e569c61"}, {"url": "https://git.kernel.org/stable/c/d702c3408213bb12bd570bb97204d8340d141c51"}], "title": "X.509: Fix out-of-bounds access when parsing extensions", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nX.509: Fix out-of-bounds access when parsing extensions\n\nLeo reports an out-of-bounds access when parsing a certificate with\nempty Basic Constraints or Key Usage extension because the first byte of\nthe extension is read before checking its length. Fix it.\n\nThe bug can be triggered by an unprivileged user by submitting a\nspecially crafted certificate to the kernel through the keyrings(7) API.\nLeo has demonstrated this with a proof-of-concept program responsibly\ndisclosed off-list."}], "id": "CVE-2026-31430", "lastModified": "2026-04-20T10:16:16.877", "metrics": {}, "published": "2026-04-20T10:16:16.877", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/206121294b9cf27f0589857f80d64f87e496ffb2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/30ab358fad0c7daa1d282ec48089901b21b36a20"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/672b526def1f94c1be8eb11b885b803da0d8c2f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7fb4dadc2734f4020d7543d688b8d49c8e569c61"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d702c3408213bb12bd570bb97204d8340d141c51"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: X.509: Fix out-of-bounds access when parsing extensions", "id": "2459691", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459691"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in the Linux kernel. An unprivileged user can exploit this vulnerability by submitting a specially crafted X.509 certificate to the kernel through the keyrings(7) application programming interface (API). This certificate, specifically when containing empty Basic Constraints or Key Usage extensions, can trigger an out-of-bounds access during parsing. An out-of-bounds access is a memory corruption issue where a program attempts to read or write data beyond the allocated memory region, which can lead to system instability or a denial of service."], "name": "CVE-2026-31430", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31430\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31430\nhttps://lore.kernel.org/linux-cve-announce/2026042008-CVE-2026-31430-299d@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30eae2b037af54b24109dcaea21db46f6285c69b,672b526def1f94c1be8eb11b885b803da0d8c2f1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30eae2b037af54b24109dcaea21db46f6285c69b,30ab358fad0c7daa1d282ec48089901b21b36a20)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30eae2b037af54b24109dcaea21db46f6285c69b,206121294b9cf27f0589857f80d64f87e496ffb2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30eae2b037af54b24109dcaea21db46f6285c69b,7fb4dadc2734f4020d7543d688b8d49c8e569c61)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[30eae2b037af54b24109dcaea21db46f6285c69b,d702c3408213bb12bd570bb97204d8340d141c51)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-20T12:50:47.986883+00:00", "value": {"mitigation_remediation": ["Apply the kernel update that contains the out\u2011of\u2011bounds read mitigation for X.509 extensions.", "Restrict keyring operations to privileged users or disable the keyring service until the patch is applied.", "Reboot the system to ensure the updated kernel is running."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Linux kernel distributions that have not yet incorporated the patch that fixes the out\u2011of\u2011bounds read when parsing X.509 extensions. The exact affected kernel versions are not listed; the fix applies to any kernel that contains the vulnerable code path identified in the CPE entry for Linux kernel.", "description_and_impact": "The kernel performs an X.509 extension parse that reads the first byte of a certificate extension before verifying its length, which causes an out\u2011of\u2011bounds read when a certificate contains an empty Basic Constraints or Key Usage extension. An attacker can exploit this by submitting a crafted certificate to the keyrings(7) API, enabling an unprivileged local user to read beyond the intended buffer boundary. The resulting memory read may reveal sensitive kernel data, leading to information disclosure. The vulnerability is not confirmed to allow privilege escalation, but the exposed kernel memory could be leveraged as a pivot for further attacks.", "risk_and_exploitability": "The flaw is local, requiring the attacker to have a user account and access to the keyrings API. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because the vulnerability permits reading kernel memory, it poses a high risk of information disclosure for systems where the kernel is compromised. The likely attack vector is an unprivileged local user submitting a malicious certificate via the keyring interface."}}}}, "created": "2026-04-20T12:00:05.818388+00:00", "updated": "2026-04-20T13:00:07.313550+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}