Cyber Resilience

CVE-2026-31553

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0012 2.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31553 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-31553 affects the Linux kernel's KVM implementation on arm64 architectures. The vulnerability resides in the __kvm_at_swap_desc() function, where virtual addresses for S1/S2 descriptors were incorrectly calculated using "(u64 __user *)hva + offset". This results in hva + offset*8 instead of the intended hva + offset when the offset is non-zero, potentially leading to improper descriptor swapping.

A local attacker with low privileges can exploit this issue with low attack complexity and no user interaction required. Exploitation grants high impacts on confidentiality, integrity, and availability with a changed scope, as reflected in the CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Mitigation is provided through patches in the Linux kernel stable repository. Relevant commits include 0496acc42fb51eee040b5170cec05cec41385540 and 4307e05e568782fc92eff651b09ee5dee88a058d, which correct the descriptor address computation in __kvm_at_swap_desc(). Systems running affected kernel versions should apply these updates promptly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc() Using "(u64 __user *)hva + offset" to get the virtual addresses of S1/S2 descriptors looks really wrong, if offset is not zero.…

more

What we want to get for swapping is hva + offset, not hva + offset*8. ;-) Fix it.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
Why these techniques?

KVM arm64 memory corruption bug (descriptor address miscalculation) allows local low-priv exploitation with scope change, directly enabling privilege escalation and VM-to-host escape.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23425Same product: Linux Linux Kernel
CVE-2026-31788Same product: Linux Linux Kernel
CVE-2026-31569Same product: Linux Linux Kernel
CVE-2026-31474Same product: Linux Linux Kernel
CVE-2026-31516Same product: Linux Linux Kernel
CVE-2024-57792Same product: Linux Linux Kernel
CVE-2026-23326Same product: Linux Linux Kernel
CVE-2026-23280Same product: Linux Linux Kernel
CVE-2025-71123Same product: Linux Linux Kernel
CVE-2026-31570Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19, 7.0 · 6.19.1 — 6.19.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, prioritizing, testing, and deploying patches to fix kernel flaws like the incorrect descriptor address calculation in KVM's __kvm_at_swap_desc().

detect

Vulnerability scanning detects systems running Linux kernel versions vulnerable to CVE-2026-31553 in the KVM arm64 implementation.

prevent

Receives and disseminates security alerts and directives to enable timely patching of KVM kernel vulnerabilities like this descriptor swapping error.

References