● High · CVSS 8.2

How to Fix CVE-2026-31788: Critical Vulnerability in Linux

Q: Is CVE-2026-31788 being exploited in the wild?

Public exploitation has not been confirmed by CISA at the time of writing. Treat the patch as time-sensitive anyway; reports often lag actual abuse.

Q: Will a WAF or IDS rule fully mitigate CVE-2026-31788?

No. Network-layer filters can reduce noise and slow opportunistic scanners, but they will not stop a determined attacker. The vendor patch is the only durable fix.

Q: How long should I plan for the upgrade?

Typical vendor-documented upgrade windows for Linux run from a few minutes to under an hour depending on cluster size. Test in a staging environment first and follow the vendor's documented HA upgrade order.

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2026-23023: Critical Vulnerability in Linux — Critical Vulnerability in Linux
How to Fix CVE-2026-43405: Security Vulnerability in Linux — Security Vulnerability in Linux
How to Fix CVE-2026-23145: Critical Vulnerability in Linux , Critical Vulnerability in Linux
How to Fix CVE-2026-23047: Critical Vulnerability in Linux , Critical Vulnerability in Linux
How to Fix CVE-2026-43236: Use-After-Free in Linux , Use-After-Free in Linux

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 8.2 - High
Actively exploited?	Not currently listed in CISA KEV
Affected	1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 4eb245ff0d33b618e097a2c23de5df56d4ad6969, 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 3ee5b9e3de4b8bdd74183d83205481c91a9effc8, 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 87a803edb2ded911cb587c53bff179d2a2ed2a28, 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 1879319d790f7d57622cdc22807b60ea78b56b6d, 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 78432d8f0372c71c518096395537fa12be7ff24e, 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4, and others
Fixed in	0, 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78
Type (CWE)	Not verified

What is CVE-2026-31788?

CVE-2026-31788 is a security flaw in Linux. In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains.

Why this CVE matters

Unpatched network-facing software is the leading initial-access vector in public breach reporting. Treat any CVSS-9 class flaw on an internet-reachable system as urgent, regardless of whether public exploit code has been observed yet.

For deployments of Linux that have been exposed to the public internet during the disclosure window, the operating assumption should be that scanning has already happened. Even where exploitation has not been publicly observed, scanning for the vulnerable fingerprint is cheap and routine. Patching closes the door; log review and credential rotation close out the rest of the response.

Am I affected?

You are affected if your installation matches any of these version ranges:

Linux: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 4eb245ff0d33b618e097a2c23de5df56d4ad6969
Linux: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 3ee5b9e3de4b8bdd74183d83205481c91a9effc8
Linux: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 87a803edb2ded911cb587c53bff179d2a2ed2a28
Linux: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 1879319d790f7d57622cdc22807b60ea78b56b6d
Linux: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 78432d8f0372c71c518096395537fa12be7ff24e
Linux: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 389bae9a4409934e8b8d4dbdaaf02a3ae71cf8e4
Linux: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < cbede2e833da1893afbea9b3ff29b5dda23a4a91
Linux: 1c5de1939c204bde9cce87f4eb3d26e9f9eb732b < 453b8fb68f3641fea970db88b7d9a153ed2a37e8

Check your installed version against the list above. If you cannot determine the version, treat the system as affected and follow the upgrade path below.

Run uname -r to read the kernel release. Compare against the affected ranges; on distro kernels, also check the package version with dpkg -l linux-image-$(uname -r) or rpm -q kernel.

How to fix CVE-2026-31788

Read the vendor advisory in full: https://git.kernel.org/stable/c/4eb245ff0d33b618e097a2c23de5df56d4ad6969
Upgrade Linux to 0, 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0 or a later version listed in the vendor advisory.
Back up the configuration (and database, where applicable) before upgrading.
Apply the patch in a maintenance window. For HA pairs, upgrade the standby node first, fail over, then upgrade the former primary.
Restart the affected service so the patched binary loads, then verify the new version (see verification section).

The commands below are runnable starting points. Adapt the package name, target version, and host paths to your environment using the vendor advisory linked under References.

Ubuntu / Debian


sudo apt-get update
sudo apt-get install --only-upgrade linux-image-generic
dpkg -s linux-image-generic | grep -i version

RHEL / CentOS / Rocky / AlmaLinux


sudo dnf upgrade --refresh linux-image-generic -y
rpm -q linux-image-generic

Container image


# Vendor advisory: https://git.kernel.org/stable/c/4eb245ff0d33b618e097a2c23de5df56d4ad6969
docker pull <your-registry>/linux-image-generic:<patched-tag>
docker build -t <your-app>:patched .
docker stop <your-app> && docker rm <your-app>
docker run -d --name <your-app> <your-app>:patched

PowerShell detect/upgrade/verify/log (Windows)


# CVE-2026-31788 remediation runner. Adapt version checks to your environment.
$log = "C:\Logs\CVE-2026-31788-fix.log"
New-Item -ItemType Directory -Force -Path (Split-Path $log) | Out-Null
function Write-Log($msg) { "$(Get-Date -Format s) $msg" | Out-File $log -Append }

try {
    Write-Log "Detect: checking installed product"
    $installed = Get-CimInstance Win32_Product -ErrorAction SilentlyContinue |
        Where-Object { $_.Name -match 'Linux' }
    if (-not $installed) { Write-Log "Product not installed; nothing to do"; return }
    Write-Log "Found version $($installed.Version)"

    Write-Log "Backup: copying program files and registry hive"
    $stamp = Get-Date -Format yyyyMMdd-HHmm
    $backup = "C:\Backup\CVE-2026-31788-$stamp"
    New-Item -ItemType Directory -Force -Path $backup | Out-Null
    Copy-Item $installed.InstallLocation $backup -Recurse -ErrorAction SilentlyContinue
    reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall "$backup\uninstall.reg" /y | Out-Null

    Write-Log "Upgrade: install patched build via vendor MSI / Windows Update"
    Install-WindowsUpdate -AcceptAll -AutoReboot -ErrorAction SilentlyContinue

    Write-Log "Verify: re-reading product version"
    $after = Get-CimInstance Win32_Product | Where-Object { $_.Name -match 'Linux' }
    Write-Log "Post-patch version: $($after.Version)"
    if ($after.Version -ne $installed.Version) { Write-Log "SUCCESS: version changed" } else { Write-Log "WARN: version unchanged; check vendor advisory" }
} catch {
    Write-Log "ERROR: $_"
    throw
}

Bash detect/upgrade/verify/log (Linux)


#!/usr/bin/env bash
# CVE-2026-31788 remediation runner. Re-runnable, exits non-zero on failure.
set -euo pipefail
log() { printf '%s %s\n' "$(date -Is)" "$*" | tee -a /var/log/cve-2026-31788-fix.log; }

log "Detect: current linux-image-generic version"
if command -v dpkg >/dev/null 2>&1; then
    current=$(dpkg-query -W -f='${Version}' linux-image-generic 2>/dev/null || echo "not-installed")
elif command -v rpm >/dev/null 2>&1; then
    current=$(rpm -q --qf '%{VERSION}-%{RELEASE}' linux-image-generic 2>/dev/null || echo "not-installed")
else
    current="unknown"
fi
log "Current: $current"

log "Backup: snapshotting config"
backup="/var/backups/cve-2026-31788-$(date +%Y%m%d-%H%M)"
mkdir -p "$backup"
[ -d /etc/linux-image-generic ] && cp -a /etc/linux-image-generic "$backup/" || true

log "Upgrade: applying vendor patch"
if command -v apt-get >/dev/null 2>&1; then
    sudo apt-get update -qq
    sudo apt-get install -y --only-upgrade linux-image-generic
elif command -v dnf >/dev/null 2>&1; then
    sudo dnf upgrade -y linux-image-generic
elif command -v yum >/dev/null 2>&1; then
    sudo yum update -y linux-image-generic
fi

log "Verify: re-reading linux-image-generic version"
if command -v dpkg >/dev/null 2>&1; then
    after=$(dpkg-query -W -f='${Version}' linux-image-generic)
else
    after=$(rpm -q --qf '%{VERSION}-%{RELEASE}' linux-image-generic)
fi
log "After: $after"

if [ "$after" != "$current" ]; then
    log "SUCCESS: linux-image-generic upgraded"
else
    log "WARN: version unchanged. Confirm the patched build is in your repository."
    exit 1
fi

If you cannot patch immediately

Restrict access to the management interface to trusted internal IP addresses only. Block public access at the firewall and require VPN for any remote administration. Apply the patch as soon as a maintenance window allows.

How to verify the fix worked

After applying the patch, verify the running version in the product's admin UI or via the vendor-documented CLI command.
Confirm the patched build matches the version listed in the vendor advisory.
Run an authenticated vulnerability scan with a current signature set and confirm the scanner no longer flags CVE-2026-31788.
Review logs for the entire pre-patch window for indicators of compromise listed in the vendor or CISA advisory.
Confirm any network-layer mitigations that were applied as a stopgap have been reverted (or left in place intentionally) once the patch is verified.

If your installation was internet-reachable during the disclosure window, treat log review as part of the remediation rather than an optional follow-up. Look for log entries that do not match your normal request patterns, especially repeated requests to the same uncommon endpoint, and any administrative changes you cannot tie back to a known operator.

Frequently asked questions

Is CVE-2026-31788 being exploited in the wild?