Home

Description

In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/

PUBLISHED Reserved 2026-03-09 | Published 2026-04-22 | Updated 2026-04-23 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 5d16f519b6eb1d071807e57efe0df2baa8d32ad6
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4bbdb0e48176fd281c2b9a211b110db6fd94e175
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 082f15d2887329e0f43fd3727e69365f5bfe5d2c
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ec2b22a58073f80739013588af448ff6e2ab906f
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ef75dc1401d8e797ee51559a0dd0336c225e1776
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 6ba6957c640f58dc8ef046981a045da43e47ea23
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before f9d69d5e7bde2295eb7488a56f094ac8f5383b92
affected

Default status
affected

2.6.12
affected

Any version before 2.6.12
unaffected

5.15.203 (semver)
unaffected

6.1.168 (semver)
unaffected

6.6.131 (semver)
unaffected

6.12.80 (semver)
unaffected

6.18.21 (semver)
unaffected

6.19.11 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/5d16f519b6eb1d071807e57efe0df2baa8d32ad6

git.kernel.org/...c/4bbdb0e48176fd281c2b9a211b110db6fd94e175

git.kernel.org/...c/082f15d2887329e0f43fd3727e69365f5bfe5d2c

git.kernel.org/...c/ec2b22a58073f80739013588af448ff6e2ab906f

git.kernel.org/...c/ef75dc1401d8e797ee51559a0dd0336c225e1776

git.kernel.org/...c/6ba6957c640f58dc8ef046981a045da43e47ea23

git.kernel.org/...c/f9d69d5e7bde2295eb7488a56f094ac8f5383b92

cve.org (CVE-2026-31521)

nvd.nist.gov (CVE-2026-31521)

Download JSON