CVE-2026-31770

Description

In the Linux kernel, the following vulnerability has been resolved: hwmon: (occ) Fix division by zero in occ_show_power_1() In occ_show_power_1() case 1, the accumulator is divided by update_tag without checking for zero. If no samples have been collected yet (e.g. during early boot when the sensor block is included but hasn't been updated), update_tag is zero, causing a kernel divide-by-zero crash. The 2019 fix in commit 211186cae14d ("hwmon: (occ) Fix division by zero issue") only addressed occ_get_powr_avg() used by occ_show_power_2() and occ_show_power_a0(). This separate code path in occ_show_power_1() was missed. Fix this by reusing the existing occ_get_powr_avg() helper, which already handles the zero-sample case and uses mul_u64_u32_div() to multiply before dividing for better precision. Move the helper above occ_show_power_1() so it is visible at the call site. [groeck: Fix alignment problems reported by checkpatch]

CVSS v3.1 Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS — Exploit Prediction

0.0001

Probability of exploitation

0.02%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-369 CWE-369

Affected Products

Vendor	Product	Versions
linux	linux_kernel	5.0 — 5.10.253
linux	linux_kernel	5.11 — 5.15.203
linux	linux_kernel	5.16 — 6.1.168
linux	linux_kernel	6.2 — 6.6.134
linux	linux_kernel	6.7 — 6.12.81
linux	linux_kernel	6.13 — 6.18.22
linux	linux_kernel	6.19 — 6.19.12
linux	linux_kernel	All
linux	linux_kernel	All
linux	linux_kernel	All
linux	linux_kernel	All
linux	linux_kernel	All
linux	linux_kernel	All

References

Advisories & Patches

https://git.kernel.org/stable/c/243d55bd3f08cb15eee9d63f4716d4d4cdd760f5 https://git.kernel.org/stable/c/2502684b9e835de9a992ec47c3e6c6faabe3858d https://git.kernel.org/stable/c/37ae8fadc74ed68e5bc364ffd17746d88e449ae3 https://git.kernel.org/stable/c/39e2a5bf970402a8530a319cf06122e216ba57b8 https://git.kernel.org/stable/c/53e6175756b8c474b6247bbcea0aad3d68357475 https://git.kernel.org/stable/c/7b89ce0c98bf3015f493ca4285b2d1056cd8c733 https://git.kernel.org/stable/c/bbbefc48f6617cfb738dcff7f44beb50b5dfeb38 https://git.kernel.org/stable/c/c7d3712362c8ab8f82f441b649d9e446e7b9aa9d

Frequently Asked Questions

What is CVE-2026-31770? +

In the Linux kernel, the following vulnerability has been resolved: hwmon: (occ) Fix division by zero in occ_show_power_1() In occ_show_power_1() case 1, the accumulator is divided by update_tag without checking for zero. If no samples have been collected yet (e.g. during early boot when the sensor block is included but hasn't been updated), update_tag is zero, causing a kernel divide-by-zero crash. The 2019 fix in commit 211186cae14d ("hwmon: (occ) Fix division by zero issue") only addressed occ_get_powr_avg() used by occ_show_power_2() and occ_show_power_a0(). This separate code path in occ_show_power_1() was missed. Fix this by reusing the existing occ_get_powr_avg() helper, which already handles the zero-sample case and uses mul_u64_u32_div() to multiply before dividing for better precision. Move the helper above occ_show_power_1() so it is visible at the call site. [groeck: Fix alignment problems reported by checkpatch] It has a CVSS v3.1 base score of 5.5 (MEDIUM).

How severe is CVE-2026-31770? +

CVE-2026-31770 has a CVSS v3.1 score of 5.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.

What products are affected by CVE-2026-31770? +

CVE-2026-31770 affects products from linux, specifically: linux_kernel. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2026-31770? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-4637

Divide By Zero vulnerability in davisking dlib allows remote attackers to cause a denial of service via a crafted file. …

CVE-2025-54873

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions …

CVE-2024-26945 8.4

In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix nr_cpus < nr_iaa case If nr_cpus …

CVE-2024-4785 7.6

BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero

CVE-2024-6135 7.6

BT:Classic: Multiple missing buf length checks

CVE-2026-33593 7.5

A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.