CVE-2026-31697
Published: 01 May 2026
Summary
CVE-2026-31697 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation ensures timely identification, patching, and deployment of kernel fixes to prevent the out-of-bounds copy_to_user on PSP firmware failures.
Error handling requires secure management of firmware command failures to avoid unsafe copy_to_user operations that leak kernel memory via slab-out-of-bounds reads.
Information input validation on ioctl buffer lengths mitigates invalid userspace inputs that trigger PSP failures leading to mishandled copies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory disclosure via ioctl enables direct collection of sensitive data from the system (T1005) and commonly facilitates kernel exploit chains for privilege escalation by leaking addresses/credentials (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed When retrieving the ID for the CPU, don't attempt to copy the ID blob to userspace if…
more
the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388 CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV #28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222 sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error.
Deeper analysisAI
CVE-2026-31697 is a vulnerability in the Linux kernel's crypto CCP (Cryptographic Coprocessor) driver, specifically within the AMD SEV (Secure Encrypted Virtualization) implementation in drivers/crypto/ccp/sev-dev.c. The issue occurs in the sev_ioctl_do_get_id2 function during CPU ID retrieval via the PSP (Platform Security Processor). If the firmware command fails—such as due to an invalid userspace buffer length—the driver still attempts to copy the required ID blob bytes to userspace, resulting in a slab-out-of-bounds read from a kernel-allocated buffer. This was detected by KASAN, showing a read of 64 bytes beyond the buffer boundary, potentially leaking kernel memory.
A local attacker with low privileges (PR:L) can exploit this via an ioctl call on the SEV device, such as with a deliberately undersized userspace buffer. Low attack complexity (AC:L) and no user interaction (UI:N) are required in an unchanged scope (S:U). Successful exploitation leads to high confidentiality impact (C:H) through kernel data leakage and high availability impact (A:H) via potential kernel crashes or warnings, as evidenced by the KASAN report and added driver WARN for firmware error mismatches. The CVSS v3.1 base score is 7.1.
Mitigation involves applying upstream Linux kernel patches from the provided stable branch commits, including 06f06d88c05ce176c61fff8c72c372847b0dd2b5, 09427bcb1715fb20a80b6acd5156dbf15ab5c363, 1fbac0429a42adec830491757a2b53956dd797ea, 2937f17bbeefb8e7608ff1f78cffbeb3d0281e5e, and 4f685dbfa87c546e51d9dc6cab379d20f275e114. These commits prevent the copy_to_user operation if the PSP command fails and add warnings for driver-firmware success discrepancies, ensuring __sev_do_cmd_locked returns -EIO on firmware errors.
Details
- CWE(s)