{ "affected": [ { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.21", "name": "xen", "purl": "pkg:apk/alpine/xen?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.22", "name": "xen", "purl": "pkg:apk/alpine/xen?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.23", "name": "xen", "purl": "pkg:apk/alpine/xen?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0" } ], "type": "ECOSYSTEM" } ] } ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBuffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|\n00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|\n00000010 b9 a8 01 42 |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it's\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786", "id": "ALPINE-CVE-2026-31786", "modified": "2026-05-01T08:18:04.897108967Z", "published": "2026-04-30T11:16:20.967Z", "references": [ { "type": "ADVISORY", "url": "https://security.alpinelinux.org/vuln/CVE-2026-31786" } ], "upstream": [ "CVE-2026-31786" ] }