CVE-2026-31558
Published: 24 April 2026
Summary
CVE-2026-31558 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-31558 by requiring timely patching of the Linux kernel to add bounds checking in kvm_get_vcpu_by_cpuid() and prevent out-of-bounds access.
Identifies systems vulnerable to CVE-2026-31558 through vulnerability scanning targeted at LoongArch KVM kernel versions.
Monitors for exploitation indicators such as anomalous kernel behavior or out-of-bounds access attempts in LoongArch KVM environments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in LoongArch KVM kernel code directly enables local exploitation for privilege escalation (T1068) with scope change and kernel crashes/DoS (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this case so as to…
more
make it more robust. This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
Deeper analysisAI
CVE-2026-31558 is a vulnerability in the Linux kernel's LoongArch KVM implementation. The issue affects the kvm_get_vcpu_by_cpuid() function, which takes an int cpuid parameter that can be negative, resulting in an out-of-bounds access to kvm_arch::phyid_map::phys_map[]. This corresponds to CWE-125 (Out-of-bounds Read) and has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact consequences across confidentiality, integrity, and availability (C:H/I:H/A:H), with a changed scope (S:C) that enables the attacker to affect resources beyond the vulnerable component, such as escalating privileges or causing kernel crashes within a LoongArch KVM environment.
Mitigation involves applying patches from Linux kernel stable releases, as detailed in the following commit references: https://git.kernel.org/stable/c/2db06c15d8c7a0ccb6108524e16cd9163753f354, https://git.kernel.org/stable/c/47857b05bd50db01e211a1b6f513d57901cd3e6b, https://git.kernel.org/stable/c/596c3f8069c4792f22fce8c4452f44410032d910, and https://git.kernel.org/stable/c/878cf6acb4fd8ab4126cf9d369a5bb0e23123418. These commits modify kvm_get_vcpu_by_cpuid() to return NULL for negative cpuid values, preventing the out-of-bounds access. Security practitioners should update affected LoongArch KVM systems promptly.
Details
- CWE(s)